Software Engineering Institute

The Sun Solaris priocntl(2) function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2) command PC_GETCID can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID command can take as an argument a pointer to a structure of type pcinfo_t that contains information about the class. A pcinfo_t structure includes a member called pc_clname that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2) searches for the kernel module specified by pc_clname in /kernel/sched and /usr/kernel/sched.

priocntl(2) does not adequately validate the data in pc_clname. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can:

1. create an arbitrary kernel module and place it in a writable location (/tmp/module for instance),
2. create an arbitrary pcinfo_t structure with pc_clname set to the location of the kernel module relative to /usr/kernel/sched (../../../tmp/module), and
3. issue a priocntl(2) call using the PC_GETCID command and a pointer to the pcinfo_t structure created by the attacker.

A local attacker could execute code with superuser privileges.

Apply Patch or Upgrade

Sun Alert ID 49131 states that "A final resolution is pending completion."

Change Location of /sched Directories

Sun Alert ID 49131 includes a workaround that involves nesting the /sched directories deeply enough that they cannot be traversed in the space available in pc_clname.