Problem Description:
The KTLS receive path decrypted each record in place, assuming
that the mbufs holding received data were anonymous and safe to
modify. This assumption does not hold for data placed on a socket
by sendfile(2), which can reference file-backed memory directly
through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the
sender transmits such data over a loopback connection without
enabling KTLS on the transmit side, the file-backed mbufs reach the
receiver's decryption path unchanged. Decrypting a record in place
then overwrites the backing file's page cache instead of a private
copy of the data.
Impact:
An unprivileged local user who can read a file can overwrite
its contents with data of their choosing by sending the file over
a loopback connection on which they have enabled KTLS receive. The
write modifies the page cache directly, so it bypasses file flags
such as schg and is written back to disk. By overwriting a setuid
binary or other trusted file, a local user can escalate privileges,
potentially gaining full control of the affected system.