FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)

Affected packages
10.0 <= FreeBSD-kernel < 10.0_12
9.3 <= FreeBSD-kernel < 9.3_5
9.2 <= FreeBSD-kernel < 9.2_15
9.1 <= FreeBSD-kernel < 9.1_22
8.4 <= FreeBSD-kernel < 8.4_19

Details

VuXML ID 74389f22-6007-11e6-a6c3-14dae9d210b8
Discovery 2014-11-04
Entry 2016-08-11

Problem Description:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session.

Impact:

An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2).

This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

References

CVE Name CVE-2014-8476
FreeBSD Advisory SA-14:25.setlogin