VULHUB ™

An input validation error exists in the NetBSD kernel that may result in a denial of service or the user execution of arbitrary code with elevated privileges. The problem is due to insufficient length checking on a parameter passed to the semop() function. The function stores an unsigned integer argument into a local signed variable. This value is used to copy data from user memory to the process' kernel stack. By causing a signed integer overflow, it is possible for a user to bypass a bounds check. This vulnerability can be used to write an almost arbitrary number of bytes to the process' kernel stack. It could be exploited to cause a kernel trap, call arbitrary kernel code, or execute arbitrary code on an architecture where stack memory is executable.

An input validation error exists in the NetBSD kernel that may result in a denial of service or the user execution of arbitrary code with elevated privileges. The problem is due to insufficient length checking on a parameter passed to the semop() function. The function stores an unsigned integer argument into a local signed variable. This value is used to copy data from user memory to the process' kernel stack. By causing a signed integer overflow, it is possible for a user to bypass a bounds check. This vulnerability can be used to write an almost arbitrary number of bytes to the process' kernel stack. It could be exploited to cause a kernel trap, call arbitrary kernel code, or execute arbitrary code on an architecture where stack memory is executable.