DragonFlyBSD Kernel Audit
← dashboard
DF-0041

Unbounded st_name / sh_name offsets into symbol/section string tables (heap OOB read via strcmp)

Field Value
ID DF-0041
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
CWE CWE-125 Out-of-bounds Read
File sys/kern/link_elf_obj.c
Lines 304, 707, 935, 1035, 1052, 1161, 1195
Area kern
Confidence likely
Discovered 2026-06-29
Reported pending

Summary

Every site that resolves a name from ddbstrtab or shstrtab computes strtab + st_name (or + sh_name) without verifying the uint32 offset is < ddbstrcnt/shstrcnt. The string tables are kmalloc'd to exactly sh_size with no guaranteed NUL terminator, so strcmp/strncmp on a crafted out-of-range (or non-terminated) st_name/sh_name reads past the allocation until it hits a NUL or an unmapped page (panic / limited heap info-leak). Sites: :304 (preload sh_name), :707 (load sh_name), :935 (symbol_name), :1035/:1052 (lookup_symbol/symbol_values), :1161 (elf_obj_lookup), :1195 (fix_link_set).

Root cause

sys/kern/link_elf_obj.c:1035 (link_elf_obj_lookup_symbol):

strp = ef->ddbstrtab + symp->st_name;   /* symp->st_name is Elf64_Word; ddbstrcnt never checked */
... strcmp(name, strp) ...

Allocations (:591, :607) give exactly sh_size bytes with no trailing NUL and no per-symbol offset validation.

Threat model & preconditions

  • Attacker position: root via kldload(2) (also reachable post-load via kldsym(2)/dependency resolution/ddb lookups). Root already owns the kernel, so defense-in-depth.
  • Privileges gained or impact: heap OOB read (panic if it crosses unmapped pages; limited heap-layout leak via match behavior). No new privilege.
  • Reachability: kldload(2) of a .ko whose symtab has st_name >= strtab size (or an interior non-terminated offset).

Guard each name access against the table count, and NUL-terminate the allocations (+1) so in-range-but-unterminated offsets cannot run off the end:

@@ -1034
    for (i = 0, symp = ef->ddbsymtab; i < ef->ddbsymcnt; i++, symp++) {
+       if (symp->st_name >= (Elf64_Word)ef->ddbstrcnt)
+           continue;
        strp = ef->ddbstrtab + symp->st_name;
@@ -590
-   ef->ddbstrtab = kmalloc(shdr[symstrindex].sh_size, M_LINKER, M_WAITOK);
+   ef->ddbstrtab = kmalloc(shdr[symstrindex].sh_size + 1, M_LINKER, M_WAITOK);
+   ef->ddbstrtab[ef->ddbstrcnt] = '\0';
@@ -606
-       ef->shstrtab = kmalloc(shdr[shstrindex].sh_size, M_LINKER, M_WAITOK);
+       ef->shstrtab = kmalloc(shdr[shstrindex].sh_size + 1, M_LINKER, M_WAITOK);
+       ef->shstrtab[ef->shstrcnt] = '\0';

(apply the same >= ddbstrcnt guard at :935,:1052,:1161,:1195 and >= shstrcnt for sh_name at :304,:707).

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/link_elf_obj.c.
  • pending Reported to DragonFlyBSD security contact.