FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- sendmsg(2) privilege escalation

Affected packages
12.1 <= FreeBSD-kernel < 12.1_8
11.4 <= FreeBSD-kernel < 11.4_2
11.3 <= FreeBSD-kernel < 11.3_12


VuXML ID 8db74c04-d794-11ea-88f8-901b0ef719ab
Discovery 2020-08-05
Entry 2020-08-06

Problem Description:

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.


The TOCTOU bug can be exploited by an unprivileged malicious userspace program to trigger privilege escalation.


CVE Name CVE-2020-7460
FreeBSD Advisory SA-20:23.sendmsg