FreeBsd Security: Kernel memory disclosure in ifconf()
I. Background
The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce
a list of the existing network interfaces and copy it into a buffer
provided by the user process.
II. Problem Description
In generating the list of network interfaces, the kernel writes into a
portion of a buffer without first zeroing it. As a result, the prior
contents of the buffer will be disclosed to the calling process.
III. Impact
Up to 12 bytes of kernel memory may be disclosed to the user process.
Such memory might contain sensitive information, such as portions of
the file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.
The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce
a list of the existing network interfaces and copy it into a buffer
provided by the user process.
II. Problem Description
In generating the list of network interfaces, the kernel writes into a
portion of a buffer without first zeroing it. As a result, the prior
contents of the buffer will be disclosed to the calling process.
III. Impact
Up to 12 bytes of kernel memory may be disclosed to the user process.
Such memory might contain sensitive information, such as portions of
the file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.
