shmat reference counting bug

ID F95A9005-88AE-11D8-90D1-0020ED76EF5A
Type freebsd
Reporter FreeBSD
Modified 2004-05-05T00:00:00


A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented. It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation.