CVE-2022-23085

Se pasó una opción de entero proporcionada por el usuario a nmreq_copyin() sin comprobar si se desbordaría. Esta comprobación de los límites insuficiente podría provocar daños en la memoria del kernel. En sistemas configurados para incluir netmap en su devfs_ruleset, un proceso privilegiado que se ejecuta en una cárcel puede afectar el entorno del host.

This vulnerability allows local attackers to escalate privileges on affected installations of FreeBSD Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of arguments to the Netmap device. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.