โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0040

Section-header index not bounds-checked against e_shnum in link_elf_obj_load_file (heap OOB read)

Field Value
ID DF-0040
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
CWE CWE-125 Out-of-bounds Read
File sys/kern/link_elf_obj.c
Lines 551 (symstrindex off-by-one), 603-604 (e_shstrndx)
Area kern
Confidence certain
Discovered 2026-06-29
Reported pending

Summary

link_elf_obj_load_file indexes shdr[] with two attacker-controlled indices without a correct < e_shnum guard: :551 uses symstrindex > e_shnum instead of >= (so a crafted sh_link == e_shnum reads shdr[e_shnum], one past the array), and :603-604 indexes shdr[e_shstrndx] with no e_shstrndx < e_shnum check (so an e_shstrndx up to 65535 reads far past the allocation). Both are heap OOB reads of attacker-influenced extent. The preload path link_elf_obj_preload_file uses the correct >= form (:245-248), confirming the load_file checks are regressions.

Root cause

sys/kern/link_elf_obj.c:551:

if (symstrindex < 0 || symstrindex > hdr->e_shnum ||     /* should be >= */
    shdr[symstrindex].sh_type != SHT_STRTAB) {

sys/kern/link_elf_obj.c:603-604:

if (hdr->e_shstrndx != 0 &&
    shdr[hdr->e_shstrndx].sh_type == SHT_STRTAB) {      /* no < e_shnum check */

shdr is kmalloc(e_shnum*sizeof(Elf_Shdr)) (:503). Correct bounds are in link_elf_obj_preload_file (:245-248, uses >=).

Threat model & preconditions

  • Attacker position: root via kldload(2) (SYSCAP_NOKLD, securelevel 0); ELF bytes fully attacker-controlled. Root already owns the kernel (a valid .ko's SYSINIT runs in kernel context), so this grants no new privilege โ€” it is robustness/defense-in-depth (matters for verified-boot / securelevel / restricted-module scenarios and clean panic-free parsing).
  • Privileges gained or impact: heap OOB read of M_LINKER memory; panic if it crosses into unmapped pages (local DoS), or attacker-influenced sh_type/sh_size/sh_offset values then drive kmalloc/vn_rdwr.
  • Reachability: kldload(2) of a crafted .ko with sh_link == e_shnum and/or e_shstrndx >= e_shnum.
--- a/sys/kern/link_elf_obj.c
+++ b/sys/kern/link_elf_obj.c
@@ -551
-   if (symstrindex < 0 || symstrindex > hdr->e_shnum ||
+   if (symstrindex < 0 || symstrindex >= hdr->e_shnum ||
@@ -603
    if (hdr->e_shstrndx != 0 &&
+       hdr->e_shstrndx < hdr->e_shnum &&
        shdr[hdr->e_shstrndx].sh_type == SHT_STRTAB) {

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/link_elf_obj.c.
  • pending Reported to DragonFlyBSD security contact.