FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Potential jail escape vulnerabilities in netmap

Affected packages
13.0 <= FreeBSD-kernel < 13.0_11
12.3 <= FreeBSD-kernel < 12.3_5

Details

VuXML ID 27d39055-b61b-11ec-9ebc-1c697aa5a594
Discovery 2022-04-06
Entry 2022-04-07

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

References

CVE Name CVE-2022-23084
CVE Name CVE-2022-23085
FreeBSD Advisory SA-22:04.netmap