FreeBSD-SA-19:23.midi Security Advisory
The FreeBSD Project
Topic: kernel memory disclosure from /dev/midistat
Credits: Peter Holm, Mark Johnston
Affects: All supported versions of FreeBSD.
Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE)
2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10)
2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE)
2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3)
2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14)
CVE Name: CVE-2019-5612
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
/dev/midistat is a device file which can be read to obtain a
human-readable list of the available MIDI-capable devices in the system.
II. Problem Description
The kernel driver for /dev/midistat implements a handler for read(2).
This handler is not thread-safe, and a multi-threaded program can
exploit races in the handler to cause it to copy out kernel memory
outside the boundaries of midistat's data buffer.
The races allow a program to read kernel memory within a 4GB window
centered at midistat's data buffer. The buffer is allocated each
time the device is opened, so an attacker is not limited to a static
4GB region of memory.
On 32-bit platforms, an attempt to trigger the race may cause a page
fault in kernel mode, leading to a panic.
Restrict permissions on /dev/midistat by adding an entry to
/etc/devfs.conf and restarting the service: