Critical vulnerability in Solaris 10 multicast filter
The IP kernel module of Solaris 10 can panic when sent a crafted IOCTL request by a local unprivileged user due to a data typing mismatch in ip_multi.c. A user-supplied unsigned integer gets assigned to a signed integer variable, potentially resulting in a negative value. This leads to a check being bypassed and ultimately an out of bounds write that corrupts kernel memory.
Tobias Klein who discovered the vulnerability states that it can be used to deny service or potentially to execute injected code with kernel privilege.
Solaris 10 without patch 137111-01 for SPARC and X86, and OpenSolaris based upon builds snv_13 through snv_91 for SPARC and x86 are affected. Solaris 8 and 9 are not affected. There is no workaround, but Solaris 10 with patch 137111-01 or later and OpenSolaris based upon builds snv_92 or later for both platforms are immune.
See also
- A Security Vulnerability in IP Multicast Filter processing of Sockets may lead to a system panic or possible execution of Arbitrary Code, Sun Microsystems advisory
- Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow, advisory by Tobias Klein
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
