FreeBSD kernel buffer overflow

Julian Elischer julian at
Thu Sep 16 15:17:40 PDT 2004

As you point out,

gerarra at wrote:

>Topic: Buffer Overflow in FreeBSD
>Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0)
>Arch: x86
>Date: 16/09/2004
>A buffer overflow has been found in i386/i386/trap.c syscall() function
>of FreeBSD official
>source tree.

As you say below this is not exploitable except for root.
The number of arguments for a syscall is defined within the kernel and 
is not
 supplied from an untrusted source. This means that this is not a 
security problem..
to load a kernel module you must be root (and not in a jail) meaning 
that if you
wanted to, the quicker and easier exploit would be


The arg mask is not there for security, but rather to allow other values 
to be store in the same longword.

>It's exploitable, but the only one way I discovered is to link a new syscall
>to the sysent
>array and to do this you need to be root; I've no time to work on this vulnerability,
>but i think another way could be found. However it could give serious problems
>(e.g. kernel

More information about the freebsd-hackers mailing list