FreeBSD Memory Protection Key Overwrite Vulnerability in Large Page Handling

A vulnerability exists in FreeBSD's handling of memory protection keys on amd64 systems. The issue arises in the kernel's page table management, specifically within the pmap_pkru_update_range() function. This function failed to properly account for 1GB large page mappings created with the shm_create_largepage(3) interface. As a result, the kernel could mistakenly treat certain userspace memory as a page table page, allowing an unprivileged user to overwrite memory that would typically be inaccessible to the application.

Impact

Exploitation of this vulnerability could lead to unauthorized memory access, allowing an application to overwrite data in memory regions that are normally protected.

Remediation

Users can upgrade to a supported FreeBSD version that includes the patch for this vulnerability. Instructions for updating via pkg(8), freebsd-update(8), or applying a source code patch are available in the FreeBSD Security Advisory FreeBSD-SA-26:11.amd64.