Problem Description:
Various user defined input such as mount points, devices, and
mount options are prepared and passed as arguments to
nmount(2) into the kernel. Under certain error conditions,
user defined data will be copied into a stack allocated buffer
stored in the kernel without sufficient bounds checking.
Impact:
If the system is configured to allow unprivileged users to
mount file systems, it is possible for a local adversary to
exploit this vulnerability and execute code in the context of
the kernel.
Workaround:
It is possible to work around this issue by allowing only
privileged users to mount file systems by running the
following sysctl(8) command:
# sysctl vfs.usermount=0