CVE-2017-1086

Vulnerability

The ptrace(2) syscall with the PT_LWPINFO subcommand fills a struct ptrace_lwpinfo on the kernel stack, but the kernel does not initialize all bytes or short strings in the structure that are irrelevant for the current thread's state. Consequently, uninitialized kernel stack content is copied to userspace. This leak affects FreeBSD versions prior to the following fixed releases: 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24 [1].

Exploitation

An attacker must have the ability to call ptrace(PT_LWPINFO) on a process, which typically requires the PROC_TRACE capability or being the parent process or a debugger with appropriate privileges. The attacker does not need authentication beyond having access to a debugger that can perform the PT_LWPINFO request. By reading the returned structure, uninitialized bytes from the kernel stack are exposed; no special race window or user interaction on the target process is required beyond it being in a stopped state [1].

Impact

A local attacker can observe up to a few bytes of kernel stack memory from the thread that handled the ptrace call. This information leak may disclose sensitive kernel data, such as pointers or fragments of other data previously stored on that stack, aiding in bypassing kernel address space layout randomization (KASLR) or gathering details for further exploitation. The impact is limited to information disclosure (confidentiality) and does not directly provide code execution or privilege escalation, hence the low CVSS score of 3.3 [1].

Mitigation

FreeBSD released patches on 2017-11-15, as listed in the advisory: update to 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, or 10.3-RELEASE-p24. No workarounds are documented; applying the kernel patch is the only remedy. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].