Total vulnerabilities in the database
The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption.
On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 13.0-rc5 | 13.0-rc5.x |
| freebsd / freebsd | 13.0-rc1 | 13.0-rc1.x |
| freebsd / freebsd | 13.0-rc2 | 13.0-rc2.x |
| freebsd / freebsd | 13.0-rc4 | 13.0-rc4.x |
| freebsd / freebsd | 13.0-beta1 | 13.0-beta1.x |
| freebsd / freebsd | 13.0-beta2 | 13.0-beta2.x |
| freebsd / freebsd | 13.0-p2 | 13.0-p2.x |
| freebsd / freebsd | 13.0-p3 | 13.0-p3.x |
| freebsd / freebsd | 13.0-p4 | 13.0-p4.x |
| freebsd / freebsd | 13.0-p5 | 13.0-p5.x |
| freebsd / freebsd | 13.0-rc3 | 13.0-rc3.x |
| freebsd / freebsd | 13.0-rc5-p1 | 13.0-rc5-p1.x |
| freebsd / freebsd | 13.0 | 13.0.x |
| freebsd / freebsd | 13.0-beta3 | 13.0-beta3.x |
| freebsd / freebsd | 13.0-beta3-p1 | 13.0-beta3-p1.x |
| freebsd / freebsd | 13.0-beta4 | 13.0-beta4.x |
| freebsd / freebsd | 13.0-p1 | 13.0-p1.x |
| freebsd / freebsd | 12.3-p1 | 12.3-p1.x |
| freebsd / freebsd | 13.0-p6 | 13.0-p6.x |
| freebsd / freebsd | 13.0-p7 | 13.0-p7.x |
| freebsd / freebsd | 13.0-p8 | 13.0-p8.x |
| freebsd / freebsd | 13.0-p9 | 13.0-p9.x |
| freebsd / freebsd | 13.0-p10 | 13.0-p10.x |
| freebsd / freebsd | 12.0 | 12.3 |
| freebsd / freebsd | 12.3 | 12.3.x |
| freebsd / freebsd | 12.3-p2 | 12.3-p2.x |
| freebsd / freebsd | 12.3-p3 | 12.3-p3.x |
| freebsd / freebsd | 12.3-p4 | 12.3-p4.x |