ASA-2019-00045 – FreeBSD: File description reference count leak


Allele Security Alert

ASA-2019-00045

Identifier(s)

ASA-2019-00045, CVE-2019-5596, FreeBSD-SA-19:02.fd

Title

File description reference count leak

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

FreeBSD 12.0

Fixed version(s)

2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)

Proof of concept

Yes

Description

FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process’ descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message.

The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure.

Technical details

Unknown

Credits

Peter Holm

Reference(s)

FreeBSD-SA-19:02.fd
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:02.fd.asc

FreeBSD Security Advisory FreeBSD-SA-19:02.fd
https://seclists.org/bugtraq/2019/Feb/12

fd.patch
https://security.freebsd.org/patches/SA-19:02/fd.patch

Exploiting FreeBSD-SA-19:02.fd
https://secfault-security.com/blog/FreeBSD-SA-1902.fd.html

CVE-2019-5596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596

CVE-2019-5596
https://nvd.nist.gov/vuln/detail/CVE-2019-5596

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.