[UNIX] FreeBSD sendfile Kernel Information Disclosure
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 10 Nov 2005 14:32:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
FreeBSD sendfile Kernel Information Disclosure
The FreeBSD sendfile system call allows a server application (such as an
HTTP or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory.
The FreeBSD kernel does not clean memory parts before being used with
sendfile, allowing users to retrieve random information about the system.
* FreeBSD 4 series
* FreeBSD 5 series prior to 5.4-RELEASE
* FreeBSD RELENG_5, 5.4-STABLE
* FreeBSD RELENG_5_4, 5.4-RELEASE
* FreeBSD RELENG_5_3, 5.3-RELEASE-p7
* FreeBSD RELENG_4, 4.11-STABLE
* FreeBSD RELENG_4_11, 4.11-RELEASE-p2
* FreeBSD RELENG_4_10, 4.10-RELEASE-p7
* FreeBSD RELENG_4_8, 4.8-RELEASE-p29
If the file being transmitted is truncated after the transfer has started
but before it completes, sendfile will transfer the contents of more or
less random portions of kernel memory in lieu of the missing part of the
A local user could create a large file and truncate it while transferring
it to himself, thus obtaining a copy of portions of system memory to which
he would normally not have access. Such memory might contain sensitive
information, such as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged to obtain
elevated privileges in some way. For example, a terminal buffer might
include a user-entered password.
The information has been provided by FreeBSD Security.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.