FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Kernel memory disclosure in control messages and SCTP

Affected packages
10.0 <= FreeBSD-kernel < 10.0_7
9.2 <= FreeBSD-kernel < 9.2_10
9.1 <= FreeBSD-kernel < 9.1_17
8.4 <= FreeBSD-kernel < 8.4_14

Details

VuXML ID 7240de58-6007-11e6-a6c3-14dae9d210b8
Discovery 2014-07-08
Entry 2016-08-11

Problem Description:

Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953]

Impact:

An unprivileged local process may be able to retrieve portion of kernel memory.

For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland.

This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.

References

CVE Name CVE-2014-3952
CVE Name CVE-2014-3953
FreeBSD Advisory SA-14:17.kmem