devaddq error path leaks data buffer due to wrong variable checked (loc instead of data)
| Field | Value |
|---|---|
| ID | DF-0004 |
| Status | new |
| Severity | Info |
| CVSS 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CWE | CWE-401 Missing Release of Memory after Effective Lifetime |
| File | sys/kern/subr_bus.c |
| Lines | 615-622 |
| Area | kern |
| Confidence | certain |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
In the bad error-cleanup label of devaddq, the third kfree condition
checks if (loc != NULL) a second time instead of if (data != NULL). When
the loc allocation fails but data was already allocated, the data buffer
(1024 bytes) is never freed โ a memory leak.
Root cause
sys/kern/subr_bus.c:615-622 โ three buffers are allocated in order (data
at :585, loc at :590, pnp at :597). On any allocation failure,
control jumps to bad:
bad:
if (pnp != NULL)
kfree(pnp, M_BUS);
if (loc != NULL)
kfree(loc, M_BUS);
if (loc != NULL) /* BUG: should be `if (data != NULL)` */
kfree(data, M_BUS);
return;
The third check at line 620 tests loc again instead of data. When the
loc allocation fails (:591-592): data != NULL, loc == NULL,
pnp == NULL. The first two kfrees are no-ops (NULL), and the third check
if (loc != NULL) is FALSE, so data (1024 bytes, M_BUS) is leaked.
This is most likely under memory pressure, since the allocations use
M_NOWAIT.
Threat model & preconditions
- Attacker position: none directly.
devaddqruns on device attach/detach/hotplug events (devadded,devremoved,devnomatch), which are relatively infrequent and typically root/initiated. - Privileges gained or impact: none. Memory leak of 1024 bytes per failed
devaddq. Under sustained memory pressure with rapid device add/remove cycles (e.g. manykldload/kldunloadrounds while RAM is exhausted) this could exacerbate pressure, but the practical DoS impact is negligible. - Required config or capabilities: none.
- Reachability:
devaddqโbadon akmalloc(..., M_NOWAIT)failure.
Proof of concept
No security PoC warranted โ this is a memory leak with no security impact. To
observe it: trigger repeated device attach/detach under memory pressure
(e.g. many kldload/kldunload cycles while filling RAM) and watch
vmstat/kmem statistics for unrecovered M_BUS growth. The leaked buffers
persist until reboot.
Impact
Negligible security impact. A 1024-byte leak per failed devaddq; correct
fix is a one-line change.
Recommended fix
Fix the copy-paste error in the cleanup path:
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -617,5 +617,5 @@
kfree(loc, M_BUS);
- if (loc != NULL)
+ if (data != NULL)
kfree(data, M_BUS);
return;
References
sys/kern/subr_bus.c:620โ incorrectloccheck instead ofdata.- CWE-401 Missing Release of Memory after Effective Lifetime.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/subr_bus.c. - pending Reported to DragonFlyBSD security contact.