The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
El tamaño total del nmreq proporcionado por el usuario a nmreq_copyin() se calculó primero y luego se confió en él durante la copia. Este error de tiempo de verificación a tiempo de uso podría provocar daños en la memoria del kernel. En sistemas configurados para incluir netmap en su devfs_ruleset, un proceso privilegiado que se ejecuta en una cárcel puede afectar el entorno del host.
This vulnerability allows local attackers to escalate privileges on affected installations of FreeBSD Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of arguments to the Netmap device. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
