FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- File description reference count leak

Affected packages
12.0 <= FreeBSD-kernel < 12.0_3


VuXML ID 86c89abf-2d91-11e9-bf3e-a4badb2f4699
Discovery 2019-02-05
Entry 2019-02-11

Problem Description:

FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message.

The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure.


A local user can exploit the bug to gain root privileges or escape from a jail.


CVE Name CVE-2019-5596
FreeBSD Advisory SA-19:02.fd