FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD-kernel -- SMAP bypass

Affected packages
13.0 <= FreeBSD-kernel < 13.0_1
12.2 <= FreeBSD-kernel < 12.2_7


VuXML ID d1ac6a6a-bea8-11eb-b87a-901b0ef719ab
Discovery 2021-05-27
Entry 2021-05-27

Problem Description:

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode.


This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.


CVE Name CVE-2021-29628
FreeBSD Advisory SA-21:11.smap