Contact
About
Articles
Home
FreeBSD kernel bugs and general patches
Patched
Critical
Analysis of CVE-2016-1886, SETFKEY FreeBSD kernel vulnerability
Analysis of CVE-2016-1887, sendmsg FreeBSD kernel heap overflow
Analysis of stack disclosure vulnerabilities in FreeBSD compatibility layers
Fix off-by-one (page) errors in checks in d_mmap methods of several drivers
, and
a lot of drivers were also vulnerable because they didn't check for negative offsets
(this probably should have gotten a CVE for privilege escalation as at least some of the affected drivers were user readable like adlink_mmap)
Non-critical
Fix double strlen in ktrstruct
-
Accepted patch
Out of bounds negative array index in iicrdwr
-
Accepted patch
Kernel stack overflow in sysctl handler for kern.binmisc.add
-
Accepted patch
hpt_set_info buffer overflow
-
Accepted patch
Memory leak in ctl.c
-
Accepted patch
Improper userland pointer handling in aacraid
-
Accepted patch
Heap overflow in nlm system call
-
Accepted patch
Integer overflow in nfssvc system call
-
Accepted patch
Use of uninitialised stack data in bxe device
-
Code removed altogether
amd64_set_ioperm overflow
-
Accepted patch
Memory leak in LINUX_TCGETS ioctl command -
Accepted patch
Heap overflows in an driver
-
Accepted patch
User memory write in svr4 -
Accepted patch
Race condition in vt driver -
Accepted patch
Boot overflows when reading loader.conf
-
Accepted patch
Negative array index in ctl.c
-
Accepted patch
Minor bugs in vidcontrol
-
Accepted patch
OGIO_KEYMAP command does not restore priority level
-
Accepted patch
Nandsim device driver race condition bugs
Unpatched
IPFW firewall heap overflow
DoS / heap overflow in bpf_stats_sysctl
Heap overflow in geom ioctl handler
Use of initialised stack variables in tdfx_query_update
witness_initialize() does not perform bound checking of witness_count
Integer overflow in sysctl_kern_proc_args
kiconv reference count integer overflow
kbd race attacks
Iconv uses strlen directly on user supplied memory
DoS in gsstest
Out of bounds access in vlan
Race condition vulnerabilities in proto device
Multiple bugs in mpr ioctl handler
ip_dummynet_compat improve size validation
OpenBSD
sti integer overflow
-
Accepted patch
incorrect free size in console driver
-
Accepted patch
NetBSD
Integer overflows in 4 different devices relating to WSDISPLAYIO_GETCMAP command