FreeBSD kernel bugs and general patches

---

Patched

Critical

• Analysis of CVE-2016-1886, SETFKEY FreeBSD kernel vulnerability
• Analysis of CVE-2016-1887, sendmsg FreeBSD kernel heap overflow
• Analysis of stack disclosure vulnerabilities in FreeBSD compatibility layers
• Fix off-by-one (page) errors in checks in d_mmap methods of several drivers, and a lot of drivers were also vulnerable because they didn't check for negative offsets (this probably should have gotten a CVE for privilege escalation as at least some of the affected drivers were user readable like adlink_mmap)

Non-critical

• Fix double strlen in ktrstruct - Accepted patch
• Out of bounds negative array index in iicrdwr - Accepted patch
• Kernel stack overflow in sysctl handler for kern.binmisc.add - Accepted patch
• hpt_set_info buffer overflow - Accepted patch
• Memory leak in ctl.c - Accepted patch
• Improper userland pointer handling in aacraid - Accepted patch
• Heap overflow in nlm system call - Accepted patch
• Integer overflow in nfssvc system call - Accepted patch
• Use of uninitialised stack data in bxe device - Code removed altogether
• amd64_set_ioperm overflow - Accepted patch
• Memory leak in LINUX_TCGETS ioctl command - Accepted patch
• Heap overflows in an driver - Accepted patch
• User memory write in svr4 - Accepted patch
• Race condition in vt driver - Accepted patch
• Boot overflows when reading loader.conf - Accepted patch
• Negative array index in ctl.c - Accepted patch
• Minor bugs in vidcontrol - Accepted patch
• OGIO_KEYMAP command does not restore priority level - Accepted patch
• Nandsim device driver race condition bugs

Unpatched

• IPFW firewall heap overflow
• DoS / heap overflow in bpf_stats_sysctl
• Heap overflow in geom ioctl handler
• Use of initialised stack variables in tdfx_query_update
• witness_initialize() does not perform bound checking of witness_count
• Integer overflow in sysctl_kern_proc_args
• kiconv reference count integer overflow
• kbd race attacks
• Iconv uses strlen directly on user supplied memory
• DoS in gsstest
• Out of bounds access in vlan
• Race condition vulnerabilities in proto device
• Multiple bugs in mpr ioctl handler
• ip_dummynet_compat improve size validation

OpenBSD

• sti integer overflow - Accepted patch
• incorrect free size in console driver - Accepted patch

NetBSD

• Integer overflows in 4 different devices relating to WSDISPLAYIO_GETCMAP command