FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- kqueue pipe race conditions

Affected systems
6.3 < FreeBSD < 6.4_7
6.4 < FreeBSD < 6.3_13


VuXML ID 90d2e58f-b25a-11de-8c83-02e0185f8d72
Discovery 2009-10-02
Entry 2009-10-06

Problem Description

A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results.


Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code on the target system.


An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.


FreeBSD Advisory SA-09:13.pipe