FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Reference count overflow in mqueue filesystem

Affected packages
12.0 <= FreeBSD-kernel < 12.0_8
11.2 <= FreeBSD-kernel < 11.2_12
11.3 <= FreeBSD-kernel < 11.3_1

Details

VuXML ID deb6e164-b30b-11e9-a87f-a4badb2f4699
Discovery 2019-07-24
Entry 2019-07-30

Problem Description:

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

Impact:

A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.

References

CVE Name CVE-2019-5603
FreeBSD Advisory SA-19:15.mqueuefs