Problem Description:
FreeBSD 12.0 attempts to handle the case where the
receiving process does not provide a sufficiently large
buffer for an incoming control message containing rights.
In particular, to avoid leaking the corresponding descriptors
into the receiving process' descriptor table, the kernel
handles the truncation case by closing descriptors referenced
by the discarded message.
The code which performs this operation failed to release
a reference obtained on the file corresponding to a received
right. This bug can be used to cause the reference counter
to wrap around and free the file structure.
Impact:
A local user can exploit the bug to gain root privileges
or escape from a jail.