FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Kernel memory disclosure in firewire(4)

Affected systems
6.1 < FreeBSD < 6.1_11
6.0 < FreeBSD < 6.2_16
5.5 < FreeBSD < 5.5_9
4.11 < FreeBSD < 4.11_26

Details

VuXML ID 5c554c0f-c69a-11db-9f82-000e0c2e438a
Discovery 2006-12-06
Entry 2007-02-27

Problem Description:

In the FW_GCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application.

Impact:

A user in the "operator" group can read the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

Workaround:

No workaround is available, but systems without IEEE 1394 ("FireWire") interfaces are not vulnerable. (Note that systems with IEEE 1394 interfaces are affected regardless of whether any devices are attached.)

Note also that FreeBSD does not have any non-root users in the "operator" group by default; systems on which no users have been added to this group are therefore also not vulnerable.

References

CVE Name CVE-2006-6013
FreeBSD Advisory SA-06:25.kmem