FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

shmat reference counting bug

Affected systems
5.2 <= FreeBSD < 5.2_2
5.1 <= FreeBSD < 5.1_14
5.0 <= FreeBSD < 5.0_20
4.9 <= FreeBSD < 4.9_2
4.8 <= FreeBSD < 4.8_15
FreeBSD < 4.7_25

Details

VuXML ID f95a9005-88ae-11d8-90d1-0020ed76ef5a
Discovery 2004-02-01
Entry 2004-04-07
Modified 2004-05-05

A programming error in the shmat(2) system call can result in a shared memory segment's reference count being erroneously incremented.

It may be possible to cause a shared memory segment to reference unallocated kernel memory, but remain valid. This could allow a local attacker to gain read or write access to a portion of kernel memory, resulting in sensitive information disclosure, bypass of access control mechanisms, or privilege escalation.

References

CVE Name CVE-2004-0114
FreeBSD Advisory SA-04:02.shmat
URL http://www.pine.nl/press/pine-cert-20040201.txt