In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r349806, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, code which handles close of a descriptor created by posix_openpt fails to undo a signal configuration. This causes an incorrect signal to be raised leading to a write after free of kernel memory allowing a malicious user to gain root privileges or escape a jail.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 11.0 (including) | 11.0 (including) |
| Freebsd | Freebsd | 11.2 (including) | 11.2 (including) |
| Freebsd | Freebsd | 11.3 (including) | 11.3 (including) |
| Freebsd | Freebsd | 12.0 (including) | 12.0 (including) |