Vigil@nce: Solaris, denial of service via UCODE_GET_VERSION
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
On an Intel processor, a local attacker can call the
UCODE_GET_VERSION ioctl, in order to stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/02/2010
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
Intel processors use a microcode which converts assembler
instructions to electronic logic.
Two ioctls are available on Solaris for Intel:
– UCODE_GET_VERSION: obtains the version of the current microcode
– UCODE_UPDATE: updates the microcode
The UCODE_GET_VERSION ioctl calls the ucode_ioctl() function of
the intel/io/ucode_drv.c file, and then the ucode_get_rev()
function of the i86pc/os/microcode.c file. If the mode parameter
of the ioctl is zero, the ucode_ioctl() function calls
ucode_get_rev() with a NULL pointer, which is dereferenced. This
error stops the kernel.
On an Intel processor, a local attacker can therefore call the
UCODE_GET_VERSION ioctl, in order to stop the system.
CHARACTERISTICS
Identifiers: 143913-01, 6905530, BID-38016, CVE-2010-0453,
TKADV2010-001, VIGILANCE-VUL-9397
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-UCODE-GET-VERSION-9397