FreeBSD -- Kernel memory disclosure with nested jails

ID 6B90ACBA-6A0A-11EA-92AB-00163E433440
Type freebsd
Reporter FreeBSD
Modified 2020-03-19T00:00:00


Problem Description: A missing NUL-termination check for the jail_set(2) configration option "osrelease" may return more bytes when reading the jail configuration back with jail_get(2) than were originally set. Impact: For jails with a non-default setting of children.max > 0 ("nested jails") a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.