sys_getpgid / sys_getsid lack cross-session visibility checks (unprivileged pgid/sid enumeration)
| Field | Value |
|---|---|
| ID | DF-0037 |
| Status | new |
| Severity | Info |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CWE | CWE-862 Missing Authorization |
| File | sys/kern/kern_prot.c |
| Lines | 106-131 (getpgid), 136-158 (getsid) |
| Area | kern |
| Confidence | likely |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
sys_getpgid and sys_getsid look up an arbitrary target pid via pfind()
and return its process-group-id / session-id without verifying that the caller
may inspect that process. POSIX.1-2017 specifies EPERM when the target is not
in the caller's session. Any local user can thus enumerate the pgid and
session-id of every process on the system (including those in other sessions
and UIDs).
Root cause
/* sys_getpgid :119-126 */
pt = pfind(uap->pid);
...
lwkt_gettoken_shared(&pt->p_token);
sysmsg->sysmsg_result = pt->p_pgrp->pg_id; /* no p_trespass / PRISON_CHECK */
lwkt_reltoken(&pt->p_token);
/* sys_getsid :149-154 */
pt = pfind(uap->pid);
...
sysmsg->sysmsg_result = pt->p_session->s_sid; /* no visibility check */
Contrast sysctl kern.proc (kern_proc.c:1690,1768) which calls
PRISON_CHECK before revealing process metadata.
Threat model & preconditions
- Attacker position: any local unprivileged user.
- Privileges gained or impact: information disclosure โ O(process-count)
bits per call (the pgid/session-id of every process, including other
sessions/UIDs). Session/pgid-leader fingerprinting; same class as historical
BSD
get*sidinfo-leak CVEs. Not an escalation primitive. - Required config or capabilities: none; default kernel.
- Reachability:
getpgid(2)/getsid(2)with an arbitrary pid.
Proof of concept
PoC source: findings/poc/DF-0037/leak_pgid.c
Build & run (unprivileged)
cc -o leak_pgid findings/poc/DF-0037/leak_pgid.c ./leak_pgid
Expected output
The pgid/sid of every process on the system, with no EPERM for
out-of-session targets.
Impact
Low-grade information disclosure / POSIX non-compliance. Rated Info (same class as DF-0015/DF-0025).
Recommended fix
Apply a p_trespass/session check before returning (mirroring kern.proc's
PRISON_CHECK):
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -123,6 +123,11 @@
if (error == 0) {
lwkt_gettoken_shared(&pt->p_token);
+ if (pt->p_session != p->p_session &&
+ caps_priv_check(p->p_ucred, SYSCAP_NOPROC_TRESPASS)) {
+ error = EPERM;
+ } else {
sysmsg->sysmsg_result = pt->p_pgrp->pg_id;
+ }
lwkt_reltoken(&pt->p_token);
}
(and the analogous check in sys_getsid at :153-154.)
References
sys/kern/kern_prot.c:106-131,136-158โgetpgid/getsid(no visibility check).sys/kern/kern_proc.c:1690,1768โkern.procappliesPRISON_CHECK.- CWE-862 Missing Authorization.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/kern_prot.c. - pending Reported to DragonFlyBSD security contact.