COMMAND

    /dev/audio

SYSTEMS AFFECTED

    Solaris 2.5/2.6

PROBLEM

    Andrea  Costantino  found  following.   While  playing around with
    Solaris/SPARC audio device (/dev/audio, linked to CS4231  hardware
    on  /devices/sbus  etc.etc.)  he  mistyped  playing  and recording
    buffer, in  a simple  full duplex  phone emulator  program he  was
    testing.   While  the  program  was  running  on  an  Ultra/1 with
    Solaris 2.5.1 installed, after  a short time the  machine rebooted
    with a kernel panic.  Please  note that he was running program  as
    a non privileged user (UID!=0).

    The programming error was a very short buffer, 2 bytes instead  of
    64 for recording  and playing buffer.   He did nothing  special in
    this program, and  all system calls  he made were  standard system
    calls, as documented in "man audio".

    It seems that with short buffer  the machine ran out of some  type
    of  resource.   In  fact,  in  a  short  time the X server stopped
    working.  After less  than 5 secs it  dumped a kernel panic,  that
    rebooted.   Nothing happened  with a  longer buffer  (tried 64 and
    more bytes).   Andrea was sampling  2 bytes for  sample, 22050 Hz,
    Mono, Linear Encoding.

    As far as  it is to  be known the  /dev/audio permission are  600,
    with device owned by root, with no user logged on console.  When a
    user logs in console, the  login process assign him/her the  audio
    device (with audioctl device also), so any user logging in console
    has the opportunity to crash the machine, even if a Stop-A -> sync
    procedure is much  simpler if a  malicious user has  gained access
    to console.  Anyway, if a user (or the root itself) changes  audio
    permissions  to  666,  any  logged  user  could  easily  crash the
    workstation.

SOLUTION

    Nothing yet (besides,  it was tested  onnly once and  I didn't see
    any reports further).