======= Summary ======= Name: Solaris 11 USB hub class descriptor kernel stack overflow Release Date: 2 November 2011 Reference: NGS00042 Discoverer: Andy Davis Vendor: Oracle Vendor Reference: Systems Affected: Solaris 8, 9, 10, and 11 Express Risk: High Status: Published ======== TimeLine ======== Discovered: 27 January 2011 Released: 27 January 2011 Approved: 27 January 2011 Reported: 27 January 2011 Fixed: 19 July 2011 Published: 2 November 2011 =========== Description =========== A local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow ================= Technical Details ================= If the wMaxPacketSize field within a USB hub class Endpoint descriptor is set to a value >= 0x1125, it causes a kernel stack overflow Jan 27 13:36:59 solaris ^Mpanic[cpu1]/thread=d742ada0: Jan 27 13:36:59 solaris genunix: [ID 549817 kern.notice] segkp_fault: accessing redzone Jan 27 13:36:59 solaris unix: [ID 100000 kern.notice] Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a540 genunix:segkp_fault+238 (d1061f68, fec24c20,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a590 unix:segkmem_fault+8e (d1061f68, fec24c60,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a630 genunix:as_fault+4c1 (d1061f68, fec23da0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a690 unix:pagefault+1ac (d23bd000, 0, 1, 1) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a740 unix:trap+136f (d742a754, d23bd000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a754 unix:_cmntrap+7c (fea501b0, d1010000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a7c8 ehci:ehci_calculate_bw_availability_mask+48 (d2089000, 2892, 0, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a838 ehci:ehci_find_bestfit_hs_mask+c8 (d2089000, d742a8fa,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a888 ehci:ehci_allocate_high_speed_bandwidth+126 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a8b8 ehci:ehci_allocate_bandwidth+21 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a918 ehci:ehci_hcdi_pipe_open+dd (d6c84be0, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a968 usba:usb_pipe_open+260 (d1d01cf0, d851ec70,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a998 usba:hubd_open_intr_pipe+37 (d851ec40, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a9c8 usba:hubd_check_ports+f0 (d851ec40, d1d01cf0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa38 usba:usba_hubdi_attach+43a (d1d01cf0, 0, 0, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa68 genunix:devi_attach+a5 (d1d01cf0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa88 genunix:attach_node+9a (d1d01cf0, 1, d2076c) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aab8 genunix:i_ndi_config_node+c1 (d1d01cf0, 6, 0, d1d) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aad8 genunix:i_ddi_attachchild+3d (d1d01cf0, 0, d742aa) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aaf8 genunix:devi_attach_node+bb (d1d01cf0, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab38 genunix:config_immediate_children+e6 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab78 genunix:ndi_busop_bus_config+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac18 usba:hubd_bus_config+dc (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac48 genunix:devi_config_common+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac68 genunix:ndi_devi_config+13 (d17f3340, 1020008) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aca8 genunix:ndi_devi_online+fc (d17f3340, 0, 0, f8a) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad18 usba:hubd_hotplug_thread+52b (e0553c50, d1db8b9c,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad88 genunix:taskq_d_thread+a3 (d3b94410, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad98 unix:thread_start+8 () =============== Fix Information =============== This issue is addressed in the Oracle Critical Patch Update Advisory - July 2011, which is available at the following URL: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html NGS Secure Research http://www.ngssecure.com