โฌข DragonFlyBSD Kernel Audit

About this audit

This is the read-only viewer for the DragonFlyBSD Kernel Audit โ€” an adversarial, file-by-file security review of the DragonFlyBSD kernel source tree (sys/, ~2,809 C files). Every issue below was found by reading the kernel source, then โ€” wherever a proof-of-concept exists โ€” verified against a live DragonFlyBSD guest rather than trusted on theory alone.

What you're looking at

Methodology & process

The audit runs as a pipeline of cooperating stages:

  1. Triage & queue. Files under sys/ are prioritised by attacker reach โ€” kern (syscalls, IPC, caps, exec) first, then the network stacks, filesystems, VM, crypto, drivers, and shared libs โ€” breaking ties by lines-of-code.
  2. Deep review. Each file gets a fresh, paranoid pass: control flow, length arithmetic, copyin/uiomove bounds, refcounts and locking, privilege checks, info leaks, and parser logic. Candidate defects are filed with a root-cause walk, a threat model, and a concrete patch.
  3. PoC verification. For each finding with a trigger, a runner builds the proof-of-concept on a real DragonFlyBSD kernel under QEMU/KVM and runs it. It reproduces or refutes honestly: a reproduced bug is stress-tested and pushed toward a real exploit (slab grooming โ†’ victim overwrite โ†’ privilege gain); a refuted one is traced line-by-line and classified as false-positive, already-fixed, unreachable, or missing setup. The full untrimmed evidence is retained in the evidence pack.
  4. One source of truth. A SQLite database (audit/audit.db) holds the structured index; the per-finding markdown and evidence packs hold the detail. This viewer renders both together.

Vulnerability classes & severity

Memory-safety bugs are weighted highest (overflows, OOB, use-after-free, double-free, type confusion, uninitialised reads, integer issues), followed by refcount/lifetime races and locking errors, missing or wrong privilege checks, kernel info leaks, attacker-controlled parsing (mbuf chains, socket options, ioctls, filesystem images), protocol/logic errors, and crypto correctness. Each finding carries a CVSS 3.1 vector and a severity:

Disclosure

This work is defensive. Findings are reported upstream under coordinated disclosure and remain private until the project ships a fix or the 90-day embargo lapses; proof-of-concept code is kept out of any public push until then. This viewer contains pre-disclosure vulnerability details and exploit material, and is intended only for the audit contributors and the DragonFlyBSD maintainers.

Provenance

Project
DragonFlyBSD kernel audit
Schema
v3
Scope
sys/ โ€” 2,809 tracked files
Generated
2026-07-02 04:46 UTC