FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Integer overflow in libnv

Affected packages
14.1 <= FreeBSD-kernel < 14.1_5
14.0 <= FreeBSD-kernel < 14.0_11
13.4 <= FreeBSD-kernel < 13.4_1
13.3 <= FreeBSD-kernel < 13.3_7
14.1 <= FreeBSD < 14.1_5
14.0 <= FreeBSD < 14.0_11
13.4 <= FreeBSD < 13.4_1
13.3 <= FreeBSD < 13.3_7

Details

VuXML ID 93c12fe5-7716-11ef-9a62-002590c1f29c
Discovery 2024-09-19
Entry 2024-09-20

Problem Description:

A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. The introduced check was incorrect, as it took into account the size of the pointer, not the structure. This vulnerability affects both kernel and userland.

This issue was originally intended to be addressed as part of FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly addressed.

Impact:

It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic.

References

CVE Name CVE-2024-45287
FreeBSD Advisory SA-24:16.libnv

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.