Integer signedness error in the genkbd_commonioctl function in sys/dev/kbd/kbd.c in FreeBSD 9.3 before p42, 10.1 before p34, 10.2 before p17, and 10.3 before p3 allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory overwrite and kernel crash), or gain privileges via a negative value in the flen structure member in the arg argument in a SETFKEY ioctl call, which triggers a "two way heap and stack overflow."
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.securitytracker.com/id/1035905 | vdb entry |
| http://www.securityfocus.com/bid/90734 | vdb entry |
| https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc | vendor advisory |
| https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch | patch |
| http://cturt.github.io/SETFKEY.html | exploit |