Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0552 Solaris 10 patches 141444-09/141445-09 May Cause EFI Labeled LUNs to Become Inaccessible Due to Incorrect Device Nodes Being Presented 21 June 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Extensible Firmware Interface Publisher: Sun Microsystems Operating System: Solaris 10 Impact/Access: Denial of Service -- Existing Account Resolution: Mitigation Original Bulletin: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-77-1124204.1-1 - --------------------------BEGIN INCLUDED TEXT-------------------- Article ID : 1124204.1 Article Type : Sun Alerts (SURE) Last reviewed : 2010-06-19 Audience : PUBLIC Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates. Solaris 10 patches 141444-09/141445-09 May Cause EFI Labeled LUNs to Become Inaccessible Due to Incorrect Device Nodes Being Presented _________________________________________________________________ Category: Availability Release Phase: Workaround In this Document [1]Description [2]Likelihood of Occurrence [3]Possible Symptoms [4]Workaround or Resolution [5]Patches [6]Modification History [7]References _________________________________________________________________ Applies to: Sun Software > Operating Systems > Solaris Operating System Sun SPARC Sun OS x86 SUNBUG [8]6912703 Date of Workaround Release: 15-Jun-2010 Description An issue with the sd/ssd(7D) driver delivered in Solaris 10 patches [9]141444-09 (SPARC) and [10]141445-09 (x86) may, upon reboot after installing the patches, cause EFI (Extensible Firmware Interface) LUNs less than 2TB in size to become inaccessible via Veritas Storage Foundation/VxVM software. The sd/ssd driver fails to present the "whole disk" device node for EFI labeled disks below 2TB. Likelihood of Occurrence This issue can occur in the following releases: SPARC Platform * Solaris 10 with patch [11]141444-09 x86 Platform * Solaris 10 with patch [12]141445-09 Notes: 1. This issue does not affect Solaris Volume Manager (SVM) software. 2. Solaris 8, Solaris 9, and OpenSolaris are not impacted by this issue. 3. Solaris 10 hosts with patch [13]141444-09/[14]141445-09 may be impacted by this issue only if both of the following conditions are met: - EFI labeled LUNs (disks) are created on active/passive arrays. This involves having at least one online and one standby path to external storage with the EFI LUN. - The size of the EFI LUN is less than 2TB. 4. To identify and determine if a disk is EFI labeled, run the format utility and observe the output. An EFI labeled disk has only LUN/disk capacity mentioned and does not have <cyl# alt# hd# sec#> values after cXtXdX. In the example below, only disk 1 and disk 2 (with capacity 1.5TB and 300.00GB repectively), are EFI labeled disks: bash-3.00# format Searching for disks... 0. c6t500151795879BF5Dd0 <DEFAULT cyl 8933 alt 2 hd 255 sec 63> /scsi_vhci/disk@g500151795879bf5d 1. c6t600A0B800035E82F00002DB84BBD2A04d0 <SUN-LCSM100_F-0670-1.5TB> /scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04 2. c6t600A0B800034D6D2000006ED4BBD2899d0 <SUN-LCSM100_F-0670-300.00GB> /scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899 3. c6t5000C500063A50BFd0 <SUN146G cyl 14087 alt 2 hd 24 sec 848> /scsi_vhci/disk@g5000c500063a50bf 4. c3t201600A0B8487152d1 <drive type unknown> /scsi_vhci/disk@g500151795879be40 Specify disk (enter its number): ^C Possible Symptoms Should the described issue occur, an affected EFI labeled LUN will not have the "whole disk" device node. Instead in /dev/[r]dsk/ you will find, for example, that cXtYdZs7 is symlink'd to /.../...:h for a device known to have an EFI label, as in the following example: bash-3.00# ls -l /dev/dsk/c6t600A0B800035E82F00002DB84BBD2A04d0* lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s0 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:a lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s1 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:b lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s2 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:c lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s3 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:d lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s4 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:e lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s5 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:f lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s6 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:g lrwxrwxrwx 1 root root 63 Apr 8 14:58 /dev/dsk/c6t600A0B800035E 82F00002DB84BBD2A04d0s7 -> ../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:h A normal/unaffected EFI labeled LUN with the "whole disk" device node has, for example, the cXtYdZ symlink'd to /.../...:wd device node, as in the following example: bash-3.00# ls -l /dev/dsk/c6t600A0B800034D6D2000006ED4BBD2899d0* lrwxrwxrwx 1 root root 64 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:wd lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s0 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:a lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s1 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:b lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s2 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:c lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s3 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:d lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s4 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:e lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s5 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:f lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D 6D2000006ED4BBD2899d0s6 -> ../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:g The following are example errors the user may see as a result of this issue: # vxdisk list DEVICE TYPE DISK GROUP STATUS c2t5006016130216F40d8 auto:cdsdisk - - online -- or -- c2t5006016130216F40d8s2 auto - - error Then vxdisk list of the LUN will show the following # vxdisk list c2t5006016130216F40d8 Device: c2t5006016130216F40d8 devicetag: c2t5006016130216F40d8 type: auto hostid: disk: name= id=1271818562.21.sprst5120b4-03.spr.spt.symantec.com group: name= id= info: format=cdsdisk,privoffset=208,pubslice=2,privslice=2 flags: online ready private autoconfig autoimport pubpaths: block=/dev/vx/dmp/c2t5006016130216F40d8s2 char=/dev/vx/rdmp/c2t50060 16130216F40d8s2 guid: - udid: DGC%5FRAID%205%5FDISKS%5F60060160A3821800F4273FF3D6FEDE11 site: - version: 3.1 iosize: min=512 (bytes) max=2048 (blocks) public: slice=2 offset=65744 len=2566848208 disk_offset=48 private: slice=2 offset=208 len=65536 disk_offset=48 update: time=1271818609 seqno=0.2 ssb: actual_seqno=0.0 headers: 0 240 configs: count=1 len=48144 logs: count=1 len=7296 Defined regions: config priv 000048-000239[000192]: copy=01 offset=000000 disabled config priv 000256-048207[047952]: copy=01 offset=000192 disabled log priv 048208-055503[007296]: copy=01 offset=000000 disabled lockrgn priv 055504-055647[000144]: part=00 offset=000000 Multipathing information: numpaths: 4 c2t5006016130216F40d8 state=enabled type=primary <<<<<<< Looks likes the EFI c2t5006016930216F40d8s2 state=enabled type=secondary <<<<<<< The rest is now SMI c3t5006016130216F40d8s2 state=enabled type=primary c3t5006016930216F40d8s2 state=enabled type=secondary In addition, the LUN device tree will show the following. Note only the first LUN will display EFI: lrwxrwxrwx 1 root root 94 Apr 20 19:38 c2t5006016130216F40d8 -> ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:wd,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s0 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:a,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s1 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:b,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s2 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:c,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s3 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:d,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s4 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:e,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s5 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:f,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s6 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130 216f40,8:g,raw lrwxrwxrwx 1 root root 94 Apr 20 19:55 c2t5006016930216F40d8 -> ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:wd,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s0 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:a,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s1 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:b,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s2 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:c,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s3 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:d,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s4 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:e,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s5 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:f,raw lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s6 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930 216f40,8:g,raw lrwxrwxrwx 1 root root 95 Feb 12 09:40 c3t5006016130216F40d8s0 - > ../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0/ssd@w50060161 30216f40,8:a,raw ... ... Workaround or Resolution To work around this issue, patchrm(1M) can be used to remove patches [15]141444-09/[16]141445-09 that cause this issue. However, because these patches deliver certain security fixes, this may not be advisable. Binary relief is available through normal support channels. A final resolution is pending completion. Patches Modification History 15-Jun-2010: Workaround release References Responsible Engineer: Sharath.Srinivasan@Sun.COM Attachments This solution has no attachment [17]About Oracle | [18]Oracle and Sun | [19]Oracle RSS Feeds | [20]Subscribe | [21]Careers | [22]Contact Us | [23]Site Maps | [24]Legal Notices | [25]Terms of Use | [26]SunSolve Terms of Use | [27]Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.5.1 (build #1) References 1. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#DESCRIPTION 2. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#OCCURRENCE 3. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#SYMPTOMS 4. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#WORKAROUND 5. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#PATCHES 6. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#HISTORY 7. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#REF 8. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-1-6912703-1 9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1 10. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1 11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1 12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1 13. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1 14. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1 15. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1 16. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1 17. http://www.oracle.com/us/corporate/index.htm 18. http://www.oracle.com/sun/index.html 19. http://www.oracle.com/rss/index.html 20. http://www.oracle.com/subscribe/index.html 21. http://www.oracle.com/corporate/employment/index.html 22. http://www.sun.com/contact/support.jsp 23. http://www.oracle.com/sitemaps/sitemaps.html 24. http://www.oracle.com/html/copyright.html 25. http://www.oracle.com/html/terms.html 26. file://localhost/sunsolveTermsOfUse.do 27. http://www.oracle.com/html/privacy.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMHqs1/iFOrG6YcBERAkChAKC7Vik36pHpch+MR9WlVteNdLEqigCfaMN7 VfG4/9F1IbV0QS31KdUIeE0= =i6Zt -----END PGP SIGNATURE-----