FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Privilege escalation in cd(4) driver

Affected packages
12.0 <= FreeBSD-kernel < 12.0_7
11.2 <= FreeBSD-kernel < 11.2_11

Details

VuXML ID 14a3b376-b30a-11e9-a87f-a4badb2f4699
Discovery 2019-07-02
Entry 2019-07-30

Problem Description:

To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device.

Impact:

A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.

References

CVE Name CVE-2019-5602
FreeBSD Advisory SA-19:11.cd_ioctl