Note: Please see the announcement at the end of this advisory.
=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv@FOUR.net or see http://www.four.net
=============================================================================
[8lgm]-Advisory-25.UNIX.sun4c.locore.01-09-1995
KERNEL OBJECT:
locore.o
VULNERABLE VERSIONS:
SunOS 4.1.*, sun4c architecture
DESCRIPTION:
Executing a ta 0xff (trap_mon) instruction leaves the cpu in an
inconsistent state.
IMPACT:
Local users can cause a watchdog reset, or bad instruction kernel
panic.
DISCUSSION:
This is believed only to affect the sun4c architecture.
All traps in the trap vector table, apart from the trap_mon
trap, set register %l6 to 7 before branching to sys_trap. 7 is
believed to be the number of register windows for the sun4c
architecture (allowing for window overlap), and is required by
sys_trap.
trap_mon performs a check on the processor state register, to
ensure it is running in supervisor mode. If this is not the
case, a branch to sys_trap is executed to handle the error.
Therefore if we perform a ta 0xff from user mode, we will branch
to sys_trap with an unknown value in %l6. This can subsequently
cause an illegal instruction panic, or a window underflow watchdog
reset.
FIX:
Looking at locore.o, this is the current trap vector entry
for ta 0xff:
0xff0: a1480000 = rd %psr, %l0
0xff4: 108004cb = ba trap_mon
0xff8: a81020ff = mov 0xff, %l4
0xffc: 1000000 = nop
Utilising the free nop instruction, we can patch locore.o to
set register %l6 to 7:
0xff0: a1480000 = rd %psr, %l0
0xff4: a81020ff = mov 0xff, %l4
0xff8: 108004ca = ba trap_mon
0xffc: ac102007 = mov 0x7, %l6
A new kernel must then be built.
This patch has run successfully for several months on a
SunOS 4.1.3_U1 machine. However, this patch comes with no
guarantees, and must be used at your own risk.
Alternatively, contact your vendor for a fix.
STATUS UPDATE:
The file:
[8lgm]-Advisory-25.UNIX.sun4c.locore.01-09-1995.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
-----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo@8lgm.org (Mailing list requests - try 'help'
for details)
8lgm@8lgm.org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================
ANNOUNCEMENT
[8lgm] are pleased to announce a new format for future advisories.
From advisory 26 onwards, exploits will no longer be made available.
These will be replaced by libC/Inside reports, which will provide
a more detailed insight into a vulnerability.
libC/Inside, a package developed by Electris Software Limited,
has been used by [8lgm] to discover vulnerabilities for some time.
The syslog and sendmail advisories were based on analysing
libC/Inside reports.
[8lgm] would like to thank Electris Software Limited for permission
to use libC/Inside reports in advisories.
For a limited period, LibC/Inside is available at a special
discount to 8lgm subscribers. Please contact Electris for
details.
For further information about libC/Inside, see:
http://www.electris.com
or mail electris@electris.com for details.
===========================================================================