Allele Security Alert
ASA-2019-00045, CVE-2019-5596, FreeBSD-SA-19:02.fd
File description reference count leak
The FreeBSD Project
2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
Proof of concept
FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process’ descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message.
The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure.
FreeBSD Security Advisory FreeBSD-SA-19:02.fd
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 10, 2019