Vigil@nce - FreeBSD: integer overflow of amd64_set_ldt
May 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate an integer overflow in amd64_set_ldt() of
FreeBSD, in order to trigger a denial of service, and possibly to
run code with kernel privileges.
Impacted products: FreeBSD.
Severity: 2/4.
Creation date: 16/03/2016.
Revision date: 17/03/2016.
DESCRIPTION OF THE VULNERABILITY
The FreeBSD system offers the sysarch() system call, which
performs operations depending on the architecture.
The amd64_set_ldt() function defines the LDT (Local Descriptor
Table), and is called by sysarch(). However, sysarch() does not
correctly check its negative parameters, which resets a memory
area too large, not belonging to the process.
An attacker can therefore generate an integer overflow in
amd64_set_ldt() of FreeBSD, in order to trigger a denial of
service, and possibly to run code with kernel privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/FreeBSD-integer-overflow-of-amd64-set-ldt-19187