Boundary checking errors in syscons

ID 67710833-1626-11D9-BC4A-000C41E2CDAD
Type freebsd
Reporter FreeBSD
Modified 2004-09-30T00:00:00


The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. It may be possible to cause the CONS_SCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. This bug may be exploitable by users who have access to the physical console or can otherwise open a /dev/ttyv* device node.