Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0552
Solaris 10 patches 141444-09/141445-09 May Cause EFI Labeled LUNs to Become
Inaccessible Due to Incorrect Device Nodes Being Presented
21 June 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Extensible Firmware Interface
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact/Access: Denial of Service -- Existing Account
Resolution: Mitigation
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-77-1124204.1-1
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID : 1124204.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-06-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its
affiliates.
Solaris 10 patches 141444-09/141445-09 May Cause EFI Labeled LUNs to
Become Inaccessible Due to Incorrect Device Nodes Being Presented
_________________________________________________________________
Category: Availability
Release Phase: Workaround
In this Document
[1]Description
[2]Likelihood of Occurrence
[3]Possible Symptoms
[4]Workaround or Resolution
[5]Patches
[6]Modification History
[7]References
_________________________________________________________________
Applies to:
Sun Software > Operating Systems > Solaris Operating System
Sun SPARC Sun OS
x86
SUNBUG [8]6912703
Date of Workaround Release: 15-Jun-2010
Description
An issue with the sd/ssd(7D) driver delivered in Solaris 10 patches
[9]141444-09 (SPARC) and [10]141445-09 (x86) may, upon reboot after
installing the patches, cause EFI (Extensible Firmware Interface) LUNs
less than 2TB in size to become inaccessible via Veritas Storage
Foundation/VxVM software. The sd/ssd driver fails to present the
"whole disk" device node for EFI labeled disks below 2TB.
Likelihood of Occurrence
This issue can occur in the following releases:
SPARC Platform
* Solaris 10 with patch [11]141444-09
x86 Platform
* Solaris 10 with patch [12]141445-09
Notes:
1. This issue does not affect Solaris Volume Manager (SVM) software.
2. Solaris 8, Solaris 9, and OpenSolaris are not impacted by this
issue.
3. Solaris 10 hosts with patch [13]141444-09/[14]141445-09 may be
impacted by this issue only if both of the following conditions are
met:
- EFI labeled LUNs (disks) are created on active/passive arrays.
This involves having at least one online and one standby path to
external storage with the EFI LUN.
- The size of the EFI LUN is less than 2TB.
4. To identify and determine if a disk is EFI labeled, run the format
utility and observe the output. An EFI labeled disk has only LUN/disk
capacity mentioned and does not have <cyl# alt# hd# sec#> values after
cXtXdX. In the example below, only disk 1 and disk 2 (with capacity
1.5TB and 300.00GB repectively), are EFI labeled disks:
bash-3.00# format
Searching for disks...
0. c6t500151795879BF5Dd0 <DEFAULT cyl 8933 alt 2 hd 255 sec 63>
/scsi_vhci/disk@g500151795879bf5d
1. c6t600A0B800035E82F00002DB84BBD2A04d0 <SUN-LCSM100_F-0670-1.5TB>
/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04
2. c6t600A0B800034D6D2000006ED4BBD2899d0 <SUN-LCSM100_F-0670-300.00GB>
/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899
3. c6t5000C500063A50BFd0 <SUN146G cyl 14087 alt 2 hd 24 sec 848>
/scsi_vhci/disk@g5000c500063a50bf
4. c3t201600A0B8487152d1 <drive type unknown>
/scsi_vhci/disk@g500151795879be40
Specify disk (enter its number): ^C
Possible Symptoms
Should the described issue occur, an affected EFI labeled LUN will not
have the "whole disk" device node. Instead in /dev/[r]dsk/ you will
find, for example, that cXtYdZs7 is symlink'd to /.../...:h for a
device known to have an EFI label, as in the following example:
bash-3.00# ls -l /dev/dsk/c6t600A0B800035E82F00002DB84BBD2A04d0*
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s0 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:a
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s1 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:b
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s2 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:c
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s3 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:d
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s4 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:e
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s5 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:f
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s6 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:g
lrwxrwxrwx 1 root root 63 Apr 8 14:58 /dev/dsk/c6t600A0B800035E
82F00002DB84BBD2A04d0s7 ->
../../devices/scsi_vhci/ssd@g600a0b800035e82f00002db84bbd2a04:h
A normal/unaffected EFI labeled LUN with the "whole disk" device node
has, for example, the cXtYdZ symlink'd to /.../...:wd device node, as
in the following example:
bash-3.00# ls -l /dev/dsk/c6t600A0B800034D6D2000006ED4BBD2899d0*
lrwxrwxrwx 1 root root 64 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:wd
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s0 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:a
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s1 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:b
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s2 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:c
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s3 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:d
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s4 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:e
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s5 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:f
lrwxrwxrwx 1 root root 63 Apr 8 08:23 /dev/dsk/c6t600A0B800034D
6D2000006ED4BBD2899d0s6 ->
../../devices/scsi_vhci/ssd@g600a0b800034d6d2000006ed4bbd2899:g
The following are example errors the user may see as a result of this
issue:
# vxdisk list
DEVICE TYPE DISK GROUP STATUS
c2t5006016130216F40d8 auto:cdsdisk - - online
-- or --
c2t5006016130216F40d8s2 auto - - error
Then vxdisk list of the LUN will show the following
# vxdisk list c2t5006016130216F40d8
Device: c2t5006016130216F40d8
devicetag: c2t5006016130216F40d8
type: auto
hostid:
disk: name= id=1271818562.21.sprst5120b4-03.spr.spt.symantec.com
group: name= id=
info: format=cdsdisk,privoffset=208,pubslice=2,privslice=2
flags: online ready private autoconfig autoimport
pubpaths: block=/dev/vx/dmp/c2t5006016130216F40d8s2 char=/dev/vx/rdmp/c2t50060
16130216F40d8s2
guid: -
udid: DGC%5FRAID%205%5FDISKS%5F60060160A3821800F4273FF3D6FEDE11
site: -
version: 3.1
iosize: min=512 (bytes) max=2048 (blocks)
public: slice=2 offset=65744 len=2566848208 disk_offset=48
private: slice=2 offset=208 len=65536 disk_offset=48
update: time=1271818609 seqno=0.2
ssb: actual_seqno=0.0
headers: 0 240
configs: count=1 len=48144
logs: count=1 len=7296
Defined regions:
config priv 000048-000239[000192]: copy=01 offset=000000 disabled
config priv 000256-048207[047952]: copy=01 offset=000192 disabled
log priv 048208-055503[007296]: copy=01 offset=000000 disabled
lockrgn priv 055504-055647[000144]: part=00 offset=000000
Multipathing information:
numpaths: 4
c2t5006016130216F40d8 state=enabled type=primary <<<<<<< Looks likes the
EFI
c2t5006016930216F40d8s2 state=enabled type=secondary <<<<<<< The rest is now
SMI
c3t5006016130216F40d8s2 state=enabled type=primary
c3t5006016930216F40d8s2 state=enabled type=secondary
In addition, the LUN device tree will show the following. Note only
the first LUN will display EFI:
lrwxrwxrwx 1 root root 94 Apr 20 19:38 c2t5006016130216F40d8 ->
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:wd,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s0 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:a,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s1 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:b,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s2 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:c,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s3 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:d,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s4 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:e,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s5 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:f,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016130216F40d8s6 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016130
216f40,8:g,raw
lrwxrwxrwx 1 root root 94 Apr 20 19:55 c2t5006016930216F40d8 ->
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:wd,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s0 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:a,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s1 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:b,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s2 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:c,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s3 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:d,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s4 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:e,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s5 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:f,raw
lrwxrwxrwx 1 root root 93 Feb 12 09:40 c2t5006016930216F40d8s6 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0/fp@0,0/ssd@w5006016930
216f40,8:g,raw
lrwxrwxrwx 1 root root 95 Feb 12 09:40 c3t5006016130216F40d8s0 -
>
../../devices/pci@0/pci@0/pci@8/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0/ssd@w50060161
30216f40,8:a,raw
...
...
Workaround or Resolution
To work around this issue, patchrm(1M) can be used to remove patches
[15]141444-09/[16]141445-09 that cause this issue. However, because
these patches deliver certain security fixes, this may not be
advisable.
Binary relief is available through normal support channels.
A final resolution is pending completion.
Patches
Modification History
15-Jun-2010: Workaround release
References
Responsible Engineer: Sharath.Srinivasan@Sun.COM
Attachments
This solution has no attachment
[17]About Oracle | [18]Oracle and Sun | [19]Oracle RSS Feeds |
[20]Subscribe | [21]Careers | [22]Contact Us | [23]Site Maps |
[24]Legal Notices | [25]Terms of Use | [26]SunSolve Terms of Use |
[27]Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or
its affiliates | SunSolve Version 7.5.1 (build #1)
References
1. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#DESCRIPTION
2. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#OCCURRENCE
3. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#SYMPTOMS
4. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#WORKAROUND
5. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#PATCHES
6. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#HISTORY
7. file://localhost/tmp/Dl6JrwowwJ/L18615-1133TMP.html#REF
8. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-1-6912703-1
9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1
10. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1
11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1
12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1
13. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1
14. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1
15. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141444-09-1
16. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-141445-09-1
17. http://www.oracle.com/us/corporate/index.htm
18. http://www.oracle.com/sun/index.html
19. http://www.oracle.com/rss/index.html
20. http://www.oracle.com/subscribe/index.html
21. http://www.oracle.com/corporate/employment/index.html
22. http://www.sun.com/contact/support.jsp
23. http://www.oracle.com/sitemaps/sitemaps.html
24. http://www.oracle.com/html/copyright.html
25. http://www.oracle.com/html/terms.html
26. file://localhost/sunsolveTermsOfUse.do
27. http://www.oracle.com/html/privacy.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMHqs1/iFOrG6YcBERAkChAKC7Vik36pHpch+MR9WlVteNdLEqigCfaMN7
VfG4/9F1IbV0QS31KdUIeE0=
=i6Zt
-----END PGP SIGNATURE-----