FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat

Affected packages
12.0 <= FreeBSD-kernel < 12.0_10
11.3 <= FreeBSD-kernel < 11.3_3
11.2 <= FreeBSD-kernel < 11.2_14

Details

VuXML ID 53b3474c-f680-11e9-a87f-a4badb2f4699
Discovery 2019-08-20
Entry 2019-10-24

Problem Description:

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

Impact:

A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.

References

CVE Name CVE-2019-5603
FreeBSD Advisory SA-19:24.mqueuefs