โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0037

sys_getpgid / sys_getsid lack cross-session visibility checks (unprivileged pgid/sid enumeration)

Field Value
ID DF-0037
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE CWE-862 Missing Authorization
File sys/kern/kern_prot.c
Lines 106-131 (getpgid), 136-158 (getsid)
Area kern
Confidence likely
Discovered 2026-06-29
Reported pending

Summary

sys_getpgid and sys_getsid look up an arbitrary target pid via pfind() and return its process-group-id / session-id without verifying that the caller may inspect that process. POSIX.1-2017 specifies EPERM when the target is not in the caller's session. Any local user can thus enumerate the pgid and session-id of every process on the system (including those in other sessions and UIDs).

Root cause

sys/kern/kern_prot.c:

/* sys_getpgid :119-126 */
pt = pfind(uap->pid);
...
lwkt_gettoken_shared(&pt->p_token);
sysmsg->sysmsg_result = pt->p_pgrp->pg_id;   /* no p_trespass / PRISON_CHECK */
lwkt_reltoken(&pt->p_token);

/* sys_getsid :149-154 */
pt = pfind(uap->pid);
...
sysmsg->sysmsg_result = pt->p_session->s_sid; /* no visibility check */

Contrast sysctl kern.proc (kern_proc.c:1690,1768) which calls PRISON_CHECK before revealing process metadata.

Threat model & preconditions

  • Attacker position: any local unprivileged user.
  • Privileges gained or impact: information disclosure โ€” O(process-count) bits per call (the pgid/session-id of every process, including other sessions/UIDs). Session/pgid-leader fingerprinting; same class as historical BSD get*sid info-leak CVEs. Not an escalation primitive.
  • Required config or capabilities: none; default kernel.
  • Reachability: getpgid(2)/getsid(2) with an arbitrary pid.

Proof of concept

PoC source: findings/poc/DF-0037/leak_pgid.c

Build & run (unprivileged)

cc -o leak_pgid findings/poc/DF-0037/leak_pgid.c
./leak_pgid

Expected output

The pgid/sid of every process on the system, with no EPERM for out-of-session targets.

Impact

Low-grade information disclosure / POSIX non-compliance. Rated Info (same class as DF-0015/DF-0025).

Apply a p_trespass/session check before returning (mirroring kern.proc's PRISON_CHECK):

--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -123,6 +123,11 @@
    if (error == 0) {
        lwkt_gettoken_shared(&pt->p_token);
+       if (pt->p_session != p->p_session &&
+           caps_priv_check(p->p_ucred, SYSCAP_NOPROC_TRESPASS)) {
+           error = EPERM;
+       } else {
            sysmsg->sysmsg_result = pt->p_pgrp->pg_id;
+       }
        lwkt_reltoken(&pt->p_token);
    }

(and the analogous check in sys_getsid at :153-154.)

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/kern_prot.c.
  • pending Reported to DragonFlyBSD security contact.