DF-0043
SYSCTL_INT declared for long counters (auxrecovervnodes1/2) - type/size mismatch
| Field | Value |
|---|---|
| ID | DF-0043 |
| Status | new |
| Severity | Info |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N |
| CWE | CWE-704 Incorrect Type Conversion or Cast |
| File | sys/kern/vfs_lock.c |
| Lines | 109-114 |
| Area | kern |
| Confidence | certain |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
auxrecovervnodes1 and auxrecovervnodes2 are declared static long
(8 bytes on x86_64) but exported via SYSCTL_INT, whose handler treats the
pointer as int * (4 bytes). On 64-bit little-endian, sysctl reads report
only the low 32 bits and RW sysctl writes set only the low 32 bits while
preserving the high 32 bits, leaving the counter value inconsistent with its
displayed value. No OOB (4-byte access into 8-byte-aligned static storage is
in-bounds), no info leak (debug-only counters), no memory corruption; root-gated
RW. The rest of the kernel correctly uses SYSCTL_LONG for long counters
(e.g. vfs_bio.c:190-196).
Root cause
static long auxrecovervnodes1;
SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
&auxrecovervnodes1, 0, "vnlru auxillary vnodes recovered");
static long auxrecovervnodes2;
SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
&auxrecovervnodes2, 0, "vnlru auxillary vnodes recovered");
Threat model & preconditions
- Impact: none security-relevant. The mismatched 4-byte access is in-bounds
on an 8-byte-aligned
long; the counters are debug-only vnlru stats observed viasysctl debug.auxrecovervnodes{1,2}, root-gated RW, and feed no security-relevant decision. Stats-display/correctness defect only.
Recommended fix
--- a/sys/kern/vfs_lock.c
+++ b/sys/kern/vfs_lock.c
@@ -109,7 +109,7 @@
static long auxrecovervnodes1;
-SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
+SYSCTL_LONG(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
&auxrecovervnodes1, 0, "vnlru auxillary vnodes recovered");
static long auxrecovervnodes2;
-SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
+SYSCTL_LONG(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
&auxrecovervnodes2, 0, "vnlru auxillary vnodes recovered");
References
sys/kern/vfs_lock.c:109-114—SYSCTL_INTonlongvars.sys/kern/vfs_bio.c:190-196— correctSYSCTL_LONGpattern.- CWE-704 Incorrect Type Conversion or Cast.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/vfs_lock.c. - pending Reported to DragonFlyBSD security contact.