FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- kernel memory disclosure from /dev/midistat

Affected packages
12.0 <= FreeBSD-kernel < 12.0_10
11.3 <= FreeBSD-kernel < 11.3_3
11.2 <= FreeBSD-kernel < 11.2_14

Details

VuXML ID 5027b62e-f680-11e9-a87f-a4badb2f4699
Discovery 2019-08-20
Entry 2019-10-24

Problem Description:

The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer.

Impact:

The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory.

On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic.

References

CVE Name CVE-2019-5612
FreeBSD Advisory SA-19:23.midi