Analysis of CVE-2014-8476: a FreeBSD kernel memory disclosure vulnerability

One week ago, on November 4th, 2014, the FreeBSD team published security advisory FreeBSD-SA-14:25.setlogin describing an information disclosure vulnerability in setlogin(2) / getlogin(2), which could allow an unprivileged user to disclose kernel memory contents.

This vulnerability (identified as CVE-2014-8476) affects all supported versions of FreeBSD. This is the problem description, taken from the advisory:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.

The code of the vulnerable function (getlogin in FreeBSD 8.4, sys_getlogin in newer versions) is located at /sys/kern/kern_prot.c:

Continue reading