FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- kqueue pipe race conditions

Affected systems
6.3 < FreeBSD < 6.4_7
6.4 < FreeBSD < 6.3_13

Details

VuXML ID 90d2e58f-b25a-11de-8c83-02e0185f8d72
Discovery 2009-10-02
Entry 2009-10-06

Problem Description

A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results.

Impact:

Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code on the target system.

Workaround

An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.

References

FreeBSD Advisory SA-09:13.pipe