FreeBSD -- nmount(2) local arbitrary code execution

ID 7DBB7197-7B68-11DD-80BA-000BCDF0A03B
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00


Problem Description: Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. Impact: If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. Workaround: It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command:

sysctl vfs.usermount=0