Subject: UnixWare 7.0.0: Privileged process security fix and issues and security holes in the usage of /tmp Advisory number: n/a Issue date: n/a ftp://ftp.sco.com/pub/security/sse/ptf7016m Dear SCO Customer, Support Level Supplement (SLS) ptf7016m, the UnixWare 7.0.0 mem Driver and VM Subsystem Supplement, corrects problems in these UnixWare 7.0.0 packages: Base System (base) OS Multiprocessor Support (osmp) If you are preparing to install any of these modified packages, discontinue the installation of SLS ptf7016m, install those packages first, and then install ptf7016m. Note which of the above packages are affected by this SLS. If you later install any of these packages on your system, you must reinstall this SLS to get the fixes for those packages. SLS ptf7016m is dependant upon the presence of ptf7068c. ptf7068c should be installed prior to the installation of ptf7016m. To determine if the ptf7068c pre-requisite patch is installed, run the command: # pkginfo -l ptf7068 | grep VERSION If the ptf7068c patch is installed, this command will return " VERSION: c". Note: If an earlier version of ptf7068 is installed on the system, then installation of ptf7096k will fail with this error message: UX:pkginstall: ERROR: unknown dependency type specified: X SLS ptf7016m is incompatible with update701, update710 and update711. ptf7016m must be removed prior to installing either update. SLS ptf7016m supersedes all previous versions of ptf7016, as well as all versions of these SLSs: ptf7005 ptf7017 ptf7029 ptf7027 Note that these four PTFs must be removed prior to installing ptf7016m. The following is a list of all changes included in SLS ptf7016m. These changes were included in ptf7016a: - A correction to memory scheduling to reduce page-aging activity when LOTSFREEBYTES is deliberately tuned to a small value. This adjustment may be helpful in increasing the performance of certain relatively static workloads. - A correction to the swap space reclamation code in the kernel to prevent system lockups of long duration. - A correction to the page cleaning daemon (pageout) to prevent a possible deadlock situation associated with the interaction of the vxfs filesystem and the pageout daemon. This change was added in ptf7016b: - A new interface similar to physmap1, for 64-bit physical addresses. This change was added in ptf7016c: - A correction to fix spurious panics on systems booted to PAE mode using enable_4gb_mem=y when using very large processes, that is, large enough to be allocated a private L1, governed by PRIV_l1_SIZE. This change was added in ptf7016d: - Modification of vm which include a removal of spinlocks that could produce lock convoy in vm resulting in apparent hang. These changes were added in ptf7016e: - A correction to the signal-handling code in the kernel to prevent a system panic which could occur if a large, multi-threaded process dumped core to a remote NFS filesystem. - Under unusual circumstances, the system can panic if a large, multi-threaded process dumps core to a remote NFS filesystem. - The signal handling code in the kernel has been modified. - Corrects an issue that could occasionally result in system panics when changing from initstate 1 to initstate 3. - Addresses issues of panics on ClearCase servers. - Contains an updated device driver for the VxFS filesystem to address process hangs. - Corrects the way the licensing subsystem uses the memfs filesystem at system startup. - Corrects the problem where cpio failed to parse its arguments and displayed this error message: UX:cpio HALT: Unrecognized xattr: MARK error - Improves reliability of systems that are using auditing under a heavy work load. - Further modifications to prevent: PANIC: kernel-mode address fault on kernel address 0xFFD01004. - Mounting vxfs filesystems >128G with 1K block size or >256G with 2K block sizes will now succeed. - Corrects problem where the system is subject to panic or hang, especially when running a heavy file system load. The panics typically originate from virtual memory management functions. This change was added in ptf7016f: - pvn functions have been changed to obey offset even when len == 0. This change was added in ptf7016g: - Modified pae_hat_uas_unshield prevents "PANIC: occurs in pae_hat_loadpte". This change was added in ptf7016h: - Corrects race condition by single threading spec_open/close per device, thereby preventing possible memory corruption. These changes were added in ptf7016i: - Changed segpse and segdev. segpse now converts to segdev and segdev, and has been changed to be able to use 4MB mapping and use less kvm in order to maintain the vpages array. - Allow the variable sendv_force_rcopy to be set to 1 via fs/space.c and to make the default 1, rather than 0. - Corrects the way the kernel locks and frees shared memory pages when the system was running low on memory, which caused Oracle 8 processes to hang. These changes were added in ptf7016j: - Modified watchdog routine to avoid possible deadlock. - Corrects a panic which might occur when all the paths have failed in an mpio configuration. - Correction to shared page table optimization for DSHM. - Addresses a problem where a process might hang in kmem_alloc (or related function) even though perhaps as much as 45% of the kernel virtual space is free. These changes are new for ptf7016k: - a new improved crash - also delivered in ptf7407 - ul99-25709 erg711057 performance bug can consume the whole of memory forcing a box to start swapping - ul99-10314 erg710878 saber Panics seen in sv_signal() - ul98-33901 erg501038 deviage Temporary system hangs under extreeme load using mutli-lwp'ed processes - ul99-13913 erg710937 timeloss System hang running benchmarks - ul99-25105 erg711051 unloading DLM hang system deadlock in canput() due to locked stream These changes are new for ptf7016l: - ul99-15306 A security problem has been eliminated by disallowing core dumps if there is already a corefile (or any other object) of the same name in the current directory. A security problem has been eliminated by disallowing core dumps of setgid processes (processes running with an effective group ID different from the user's real group ID). An administrator may now select old-style corefile naming, whereby the process-ID suffix normally attached to every corefile name is eliminated and every corefile is just named "core". This is intended to address situations in which it is unacceptable for a disk to fill up with corefiles. It is recommended that adminstrators stick with the current default behavior, however. The tunable that controls this behavior is named COREFILE_PIDS. - ul99-13704 This change closes security holes in the usage of /tmp involving linking or symbolic linking of well known temporary file names to critical system files. It is implemented as additional restrictions on link, rename (mv) and symbolic linking on directories that have the sticky bit set. See the mr and the U95 standards pages for more specifics. - ul99-32801 and ul99-33011 erg501245 Disk corruption seen with PAE on and greater than 4GB physical memory (all of which is general purpose) whilst performing I/O on a VxVM block device. The fix is for a kernel memory corrupting issue and is not specific to PAE or volume manager, this is simply the method required to reproduce the critical symptom observed by the customer. Note, PAE mode is enbaled by setting ENABLE_4GB_MEM=YES in /stand/boot, or by issuing this during an interactive boot. SLS ptf7016m now also addresses these additional issues: - ul99-20814 Address space of privileged processes was accessible by regular users. Privileged processes could then be traced opening several security holes. This has been fixed by making address space inaccessible to regular users. - ul99-20009 Privileged processes could core dump. Sensitive data is often located inside the core files of privileged processes. This has been fixed by no longer allowing privileged processes to core dump SLS ptf7016m contains these files: /etc/conf/pack.d/mem/Driver_atup.o /etc/conf/pack.d/mem/Driver_mp.o /etc/conf/pack.d/mem/space.c /etc/conf/dtune.d/mem /etc/conf/mtune.d/mem /etc/conf/pack.d/pse/stubs.c /etc/conf/pack.d/pse/Driver_atup.o /etc/conf/pack.d/pse/Driver_mp.o /etc/conf/pack.d/segdev/Driver_atup.o /etc/conf/pack.d/segdev/Driver_mp.o /etc/conf/pack.d/ipc/Driver_atup.o /etc/conf/pack.d/ipc/Driver_mp.o /etc/conf/pack.d/segshm/Driver_atup.o /etc/conf/pack.d/segshm/Driver_mp.o /etc/conf/pack.d/specfs/Driver_atup.o /etc/conf/pack.d/specfs/Driver_mp.o /etc/conf/pack.d/proc/Driver_atup.o /etc/conf/pack.d/proc/Driver_mp.o /etc/conf/pack.d/proc/space.c /etc/conf/dtune.d/proc /etc/conf/mtune.d/proc /etc/conf/pack.d/memfs/Driver_atup.o /etc/conf/pack.d/memfs/Driver_mp.o /etc/conf/pack.d/s5/Driver_atup.o /etc/conf/pack.d/s5/Driver_mp.o /etc/conf/pack.d/util/Driver_atup.o /etc/conf/pack.d/util/Driver_mp.o /etc/conf/pack.d/vxfs/Driver_atup.o /etc/conf/pack.d/vxfs/Driver_mp.o /etc/conf/pack.d/fs/Driver_atup.o /etc/conf/pack.d/fs/Driver_mp.o /etc/conf/pack.d/fs/space.c /etc/conf/mtune.d/fs /etc/conf/pack.d/kernel/Driver_atup.o /etc/conf/pack.d/kernel/Driver_mp.o /etc/conf/pack.d/sfs/Driver_atup.o /etc/conf/pack.d/sfs/Driver_mp.o /etc/conf/interface.d/system.2 /usr/include/sys/systm.h /usr/include/sys/vmparam.h /usr/sbin/crash /usr/include/vm/hat.h /usr/include/vm/vm_hat.h /usr/include/vm/seg_dev.h Software Notes and Recommendations ---------------------------------- SLS ptf7016m should only be installed on: UnixWare 7.0.0 with UnixWare 7 Release Supplement (uw7rs) applied To find out what release your system is running, use the command: # uname -sv The command will return "UnixWare 7" if this release is installed. To determine if the UnixWare 7 Release Supplement is installed, run the command: pkginfo | grep uw7rs If the Release Supplement is installed this command will return "patch uw7rs uw7rs - SCO UnixWare 7 Release Supplement." Note: SLS ptf7016m prevents the uw7rs package from being installed on top of it. The uw7rs package must be installed prior to installing SLS ptf7016m. Installation Instructions ------------------------- 1. Download the ptf7016m.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the SLS package to your system using these commands: $ su # uncompress /tmp/ptf7016m.Z # pkgadd -d /tmp/ptf7016m 3. Shut down and reboot the system after installing this SLS package. Note: A system reboot is required following installation of this SLS for the kernel sections to take effect. However, if you have not already installed any other SLS which you need, you should do so before rebooting. Removal Instructions -------------------- 1. As root, remove the SLS package using this command: pkgrm ptf7016 2. Shut down and reboot the system after removing the SLS package. If you have questions regarding this SLS, or the product on which it is installed, please contact your software supplier. We appreciate your business. SCO Support Services