Versions Affected : All versions prior to TrueNAS 12.0-U3


Description

An unprivileged process can configure an accept filter on a listening socket.

This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information. If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free. The bug may be exploited to trigger local privilege escalation or kernel memory disclosure.


Workaround

Systems not using accept filters, or using only the accept filters included with the FreeBSD base system (accf_data(9), accf_dns(9), and accf_http(9)) are unaffected.


Mitigation

  • Upgrade to TrueNAS 12.0-U3 or later.

Commit


Further information