FreeBSD Routing Socket Stack Buffer Overflow Vulnerability Leading to Local Denial-of-Service

A stack buffer overflow vulnerability has been identified in the FreeBSD routing socket interface, specifically within the rtsock_msg_buffer() function. This vulnerability affects all supported FreeBSD versions. The issue arises because the function copies sockaddr structures into a sockaddr_storage structure on the stack, assuming that the source sockaddr length field has been validated. However, a malicious userspace program can craft a request that triggers a 127-byte overflow. This overflow overwrites the stack canary, a security feature that helps detect buffer overflows, leading to a kernel panic when the function returns. While the immediate impact is a denial-of-service condition, other kernel vulnerabilities could potentially allow an unprivileged user to exploit this issue for local privilege escalation.

Impact

Exploitation of this vulnerability causes a kernel panic, crashing the system. However, because the vulnerability overwrites a stack canary value, which is checked when the function returns, this denial-of-service condition could be bypassed, potentially allowing for local privilege escalation.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory.