FatGid: FreeBSD 14.x kernel local privilege escalation
A local privilege escalation vulnerability has been identified in the FreeBSD 14.x kernel. The issue arises from a buffer overflow in the kern_setcred_copyin_supp_groups function, which can be exploited by local users. This vulnerability allows attackers to control execution flow and potentially execute arbitrary code in kernel space.
- ▪The vulnerability is located in the kern_setcred_copyin_supp_groups function within the FreeBSD 14.x kernel.
- ▪An attacker can exploit this vulnerability by triggering a buffer overflow through the setcred system call.
- ▪The overflow can corrupt critical registers, allowing attackers to control execution flow in the kernel.
Opening excerpt (first ~120 words) tap to expand
Vulnerability details File: sys/kern/kern_prot.c Function: kern_setcred_copyin_supp_groups() Lines: 528-533 The function signature uses a double pointer for the groups argument: static int kern_setcred_copyin_supp_groups(struct setcred *const wcred, const u_int flags, gid_t *const smallgroups, gid_t **const groups) Because groups has type gid_t **, the expression sizeof(*groups) evaluates to sizeof(gid_t *) == 8 on LP64, rather than the intended sizeof(gid_t) == 4. This sizeof expression is used in two places: /* line 528-530: allocation */ *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * sizeof(*groups), M_TEMP, M_WAITOK); /* sizeof(*groups) == 8 */ /* line 532-533: copyin */ error = copyin(wcred->sc_supp_groups, *groups +…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Fatgid.
Discussion
0 commentsMore from Fatgid
