FreeBSD-SA-19:02.fd Security Advisory
The FreeBSD Project
Topic: File description reference count leak
Credits: Peter Holm
Affects: FreeBSD 12.0
Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
CVE Name: CVE-2019-5596
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
UNIX-domain sockets are used for inter-process communication. It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.
II. Problem Description
FreeBSD 12.0 attempts to handle the case where the receiving process does
not provide a sufficiently large buffer for an incoming control message
containing rights. In particular, to avoid leaking the corresponding
descriptors into the receiving process' descriptor table, the kernel handles
the truncation case by closing descriptors referenced by the discarded
The code which performs this operation failed to release a reference obtained
on the file corresponding to a received right. This bug can be used to cause
the reference counter to wrap around and free the file structure.
A local user can exploit the bug to gain root privileges or escape from
No workaround is available.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility: