โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0034

Uninitialized st_padding1 leaked to userspace via every stat syscall

Field Value
ID DF-0034
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE CWE-908 Use of Uninitialized Resource
File sys/kern/vfs_vnops.c
Lines 852-853 (vn_stat)
Area kern
Confidence certain
Discovered 2026-06-29
Reported pending

Summary

vn_stat() zeros the spare stat fields st_lspare and st_qspare2 (:852-853) but never initializes the explicitly-declared __uint16_t st_padding1 (sys/sys/stat.h:105). All five stat syscall handlers declare struct stat on the kernel stack without zeroing it and copyout() the whole struct, leaking 2 bytes of uninitialized kernel stack to unprivileged userspace on every fstat/stat/lstat/fstatat/fhstat.

Root cause

sys/kern/vfs_vnops.c:852-853:

/* Zero the spare stat fields */
sb->st_lspare = 0;
sb->st_qspare2 = 0;
/* sb->st_padding1 (stat.h:105) is never written */

Callers pass a stack-local, unzeroed struct stat and copyout sizeof(struct stat): sys_fstat (kern_descrip.c:1574,1580), sys_stat (vfs_syscalls.c:3071,3078), sys_lstat (:3093,3100), sys_fstatat (:3115,3130), sys_fhstat (:5004,5030).

Threat model & preconditions

  • Attacker position: any local unprivileged user.
  • Privileges gained or impact: information disclosure โ€” 2 bytes of uninitialized kernel stack per call (pointer fragments, prior-syscall residue), samplable in a tight loop. Low-grade KASLR-assist / info-scrape.
  • Required config or capabilities: none; default kernel.
  • Reachability: any stat(2) family call on any vnode.

Proof of concept

PoC source: findings/poc/DF-0034/leak_stpad.c

Build & run (unprivileged)

cc -o leak_stpad findings/poc/DF-0034/leak_stpad.c
./leak_stpad

Expected output

Non-zero, varying byte pairs at offsetof(struct stat, st_padding1).

Impact

Low โ€” 2-byte kernel-stack info leak, samplable in a loop. Same class as DF-0007/DF-0010/DF-0027.

Zero st_padding1 in vn_stat (and defense-in-depth: bzero the struct stat in each stat syscall handler before vn_stat/fo_stat):

--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -851,6 +851,7 @@
     */
+   sb->st_padding1 = 0;
    sb->st_lspare = 0;
    sb->st_qspare2 = 0;

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/vfs_vnops.c.
  • pending Reported to DragonFlyBSD security contact.