Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure
23 Jul. 2006
Solaris is "a UNIX operating system developed by Sun Microsystems". Local exploitation of an integer overflow vulnerability in Sun Microsystems Inc. Solaris allows attackers to read kernel memory from a non-privileged userspace process.
If the variable count (which is a value provided by the user invoking the function) is 0, the function will call the copyout function with a length argument of -1. Because copyout interprets the length argument as an unsigned integer, a large amount of data will be copied out to userspace, well beyond the boundaries that are intended.