ASA-2019-00472 – FreeBSD: File descriptor reference count leak

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00472

Identifier(s)

ASA-2019-00472, CVE-2019-5607, FreeBSD-SA-19:17.fd

Title

File descriptor reference count leak

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

All supported versions of FreeBSD

Fixed version(s)

2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1)

Proof of concept

Unknown

Description

If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure.

A local user can exploit the bug to gain root privileges or escape from a jail.

Technical details

Unknown

Credits

Mark Johnston

Reference(s)

FreeBSD-SA-19:17.fd.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:17.fd.asc

fd.11.2.patch
https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch

fd.11.2.patch.asc
https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc

fd.11.patch
https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch

fd.11.patch.asc
https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc

fd.12.patch
https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch

fd.12.patch.asc
https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc

Fix leak of memory and file refs with sendmsg(2) over unix domain sockets.
https://svnweb.freebsd.org/base?view=revision&revision=r350222

Fix file descriptor reference count leak.
https://svnweb.freebsd.org/base?view=revision&revision=r350286

Fix leak of memory and file refs with sendmsg(2) over unix domain sockets.
https://svnweb.freebsd.org/base?view=revision&revision=r350223

CVE-2019-5607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607

CVE-2019-5607
https://nvd.nist.gov/vuln/detail/CVE-2019-5607

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.