FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- double free in accept_filter(9) socket configuration interface

Affected packages
12.2 <= FreeBSD-kernel < 12.2_6


VuXML ID f8e1e2a6-9791-11eb-b87a-901b0ef719ab
Discovery 2021-04-06
Entry 2021-04-07

Problem Description:

An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information.

If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free.


The bug may be exploited to trigger local privilege escalation or kernel memory disclosure.


CVE Name CVE-2021-29627
FreeBSD Advisory SA-21:09.accept_filter