FreeBSD -- File description reference count leak

ID 86C89ABF-2D91-11E9-BF3E-A4BADB2F4699
Type freebsd
Reporter FreeBSD
Modified 2019-02-05T00:00:00


Problem Description: FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message. The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure. Impact: A local user can exploit the bug to gain root privileges or escape from a jail.