FreeBSD Stack Buffer Overflow Vulnerability in VOP_VPTOFH() Implementation on NFS-exported Filesystems

A stack buffer overflow vulnerability has been identified in the VOP_VPTOFH() implementation of the cd9660, tarfs, and ext2fs filesystems on 64-bit FreeBSD systems. This vulnerability occurs when the filesystem identifier (FID) buffer is overflowed by 4 bytes, leading to a stack buffer overflow. An NFS server exporting any of these filesystems can be made to panic by mounting and accessing the export with an NFS client. While further exploitation, such as bypassing file permission checks or remote kernel code execution, could potentially be achieved, this has not been demonstrated. Notably, release kernels have stack protection enabled, which catches some instances of the overflow and causes a panic.

Impact

Exploitation of this vulnerability causes a kernel panic. However, there is potential for further exploitation, such as bypassing file permission checks or remote kernel code execution, although this has not been demonstrated.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD Security Advisory.