Integer overflow in the pipe_build_write_buffer function (sys/kern/sys_pipe.c) in the direct write optimization feature in the pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 allows local users to bypass virtual-to-physical address lookups and read sensitive information in memory pages via unspecified vectors.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 6.3 (including) | 6.3 (including) |
| Freebsd | Freebsd | 6.3-release_p10 (including) | 6.3-release_p10 (including) |
| Freebsd | Freebsd | 6.3_releng (including) | 6.3_releng (including) |
| Freebsd | Freebsd | 6.4 (including) | 6.4 (including) |
| Freebsd | Freebsd | 6.4-release_p4 (including) | 6.4-release_p4 (including) |
| Freebsd | Freebsd | 6.4-stable (including) | 6.4-stable (including) |
| Freebsd | Freebsd | 7.1 (including) | 7.1 (including) |
| Freebsd | Freebsd | 7.1-pre-release (including) | 7.1-pre-release (including) |
| Freebsd | Freebsd | 7.1-rc1 (including) | 7.1-rc1 (including) |
| Freebsd | Freebsd | 7.1-release-p1 (including) | 7.1-release-p1 (including) |
| Freebsd | Freebsd | 7.1-release-p2 (including) | 7.1-release-p2 (including) |
| Freebsd | Freebsd | 7.1-release-p5 (including) | 7.1-release-p5 (including) |
| Freebsd | Freebsd | 7.1-stable (including) | 7.1-stable (including) |
| Freebsd | Freebsd | 7.2 (including) | 7.2 (including) |
| Freebsd | Freebsd | 7.2-pre-release (including) | 7.2-pre-release (including) |