FreeBSD -- Kernel memory disclosure in control messages and SCTP
Buffer between control message header and data may not
be completely initialized before being copied to userland.
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
have implicit padding that may not be completely initialized
before being copied to userland. In addition, three SCTP
notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
SCTP_AUTHENTICATION_EVENT, have padding in the returning
data structure that may not be completely initialized before
being copied to userland. [CVE-2014-3953]
An unprivileged local process may be able to retrieve
portion of kernel memory.
For the generic control message, the process may be able
to retrieve a maximum of 4 bytes of kernel memory.
For SCTP, the process may be able to retrieve 2 bytes
of kernel memory for all three control messages, plus 92
bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
local process is permitted to receive SCTP notification, a
maximum of 112 bytes of kernel memory may be returned to
This information might be directly useful, or it might
be leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright