Uninitialized st_padding1 leaked to userspace via every stat syscall
| Field | Value |
|---|---|
| ID | DF-0034 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CWE | CWE-908 Use of Uninitialized Resource |
| File | sys/kern/vfs_vnops.c |
| Lines | 852-853 (vn_stat) |
| Area | kern |
| Confidence | certain |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
vn_stat() zeros the spare stat fields st_lspare and st_qspare2
(:852-853) but never initializes the explicitly-declared __uint16_t
st_padding1 (sys/sys/stat.h:105). All five stat syscall handlers declare
struct stat on the kernel stack without zeroing it and copyout() the whole
struct, leaking 2 bytes of uninitialized kernel stack to unprivileged
userspace on every fstat/stat/lstat/fstatat/fhstat.
Root cause
/* Zero the spare stat fields */
sb->st_lspare = 0;
sb->st_qspare2 = 0;
/* sb->st_padding1 (stat.h:105) is never written */
Callers pass a stack-local, unzeroed struct stat and copyout sizeof(struct
stat): sys_fstat (kern_descrip.c:1574,1580), sys_stat
(vfs_syscalls.c:3071,3078), sys_lstat (:3093,3100), sys_fstatat
(:3115,3130), sys_fhstat (:5004,5030).
Threat model & preconditions
- Attacker position: any local unprivileged user.
- Privileges gained or impact: information disclosure โ 2 bytes of uninitialized kernel stack per call (pointer fragments, prior-syscall residue), samplable in a tight loop. Low-grade KASLR-assist / info-scrape.
- Required config or capabilities: none; default kernel.
- Reachability: any
stat(2)family call on any vnode.
Proof of concept
PoC source: findings/poc/DF-0034/leak_stpad.c
Build & run (unprivileged)
cc -o leak_stpad findings/poc/DF-0034/leak_stpad.c ./leak_stpad
Expected output
Non-zero, varying byte pairs at offsetof(struct stat, st_padding1).
Impact
Low โ 2-byte kernel-stack info leak, samplable in a loop. Same class as DF-0007/DF-0010/DF-0027.
Recommended fix
Zero st_padding1 in vn_stat (and defense-in-depth: bzero the
struct stat in each stat syscall handler before vn_stat/fo_stat):
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -851,6 +851,7 @@
*/
+ sb->st_padding1 = 0;
sb->st_lspare = 0;
sb->st_qspare2 = 0;
References
sys/kern/vfs_vnops.c:852-853โ spares zeroed exceptst_padding1.sys/sys/stat.h:105โ__uint16_t st_padding1.- CWE-908 Use of Uninitialized Resource.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/vfs_vnops.c. - pending Reported to DragonFlyBSD security contact.