โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0004

devaddq error path leaks data buffer due to wrong variable checked (loc instead of data)

Field Value
ID DF-0004
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE CWE-401 Missing Release of Memory after Effective Lifetime
File sys/kern/subr_bus.c
Lines 615-622
Area kern
Confidence certain
Discovered 2026-06-29
Reported pending

Summary

In the bad error-cleanup label of devaddq, the third kfree condition checks if (loc != NULL) a second time instead of if (data != NULL). When the loc allocation fails but data was already allocated, the data buffer (1024 bytes) is never freed โ€” a memory leak.

Root cause

sys/kern/subr_bus.c:615-622 โ€” three buffers are allocated in order (data at :585, loc at :590, pnp at :597). On any allocation failure, control jumps to bad:

bad:
    if (pnp != NULL)
        kfree(pnp, M_BUS);
    if (loc != NULL)
        kfree(loc, M_BUS);
    if (loc != NULL)        /* BUG: should be `if (data != NULL)` */
        kfree(data, M_BUS);
    return;

The third check at line 620 tests loc again instead of data. When the loc allocation fails (:591-592): data != NULL, loc == NULL, pnp == NULL. The first two kfrees are no-ops (NULL), and the third check if (loc != NULL) is FALSE, so data (1024 bytes, M_BUS) is leaked. This is most likely under memory pressure, since the allocations use M_NOWAIT.

Threat model & preconditions

  • Attacker position: none directly. devaddq runs on device attach/detach/hotplug events (devadded, devremoved, devnomatch), which are relatively infrequent and typically root/initiated.
  • Privileges gained or impact: none. Memory leak of 1024 bytes per failed devaddq. Under sustained memory pressure with rapid device add/remove cycles (e.g. many kldload/kldunload rounds while RAM is exhausted) this could exacerbate pressure, but the practical DoS impact is negligible.
  • Required config or capabilities: none.
  • Reachability: devaddq โ†’ bad on a kmalloc(..., M_NOWAIT) failure.

Proof of concept

No security PoC warranted โ€” this is a memory leak with no security impact. To observe it: trigger repeated device attach/detach under memory pressure (e.g. many kldload/kldunload cycles while filling RAM) and watch vmstat/kmem statistics for unrecovered M_BUS growth. The leaked buffers persist until reboot.

Impact

Negligible security impact. A 1024-byte leak per failed devaddq; correct fix is a one-line change.

Fix the copy-paste error in the cleanup path:

--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -617,5 +617,5 @@
        kfree(loc, M_BUS);
-   if (loc != NULL)
+   if (data != NULL)
        kfree(data, M_BUS);
    return;

References

  • sys/kern/subr_bus.c:620 โ€” incorrect loc check instead of data.
  • CWE-401 Missing Release of Memory after Effective Lifetime.

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/subr_bus.c.
  • pending Reported to DragonFlyBSD security contact.