DragonFlyBSD Kernel Audit
← dashboard
DF-0043

SYSCTL_INT declared for long counters (auxrecovervnodes1/2) - type/size mismatch

Field Value
ID DF-0043
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
CWE CWE-704 Incorrect Type Conversion or Cast
File sys/kern/vfs_lock.c
Lines 109-114
Area kern
Confidence certain
Discovered 2026-06-29
Reported pending

Summary

auxrecovervnodes1 and auxrecovervnodes2 are declared static long (8 bytes on x86_64) but exported via SYSCTL_INT, whose handler treats the pointer as int * (4 bytes). On 64-bit little-endian, sysctl reads report only the low 32 bits and RW sysctl writes set only the low 32 bits while preserving the high 32 bits, leaving the counter value inconsistent with its displayed value. No OOB (4-byte access into 8-byte-aligned static storage is in-bounds), no info leak (debug-only counters), no memory corruption; root-gated RW. The rest of the kernel correctly uses SYSCTL_LONG for long counters (e.g. vfs_bio.c:190-196).

Root cause

sys/kern/vfs_lock.c:109-114:

static long auxrecovervnodes1;
SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
        &auxrecovervnodes1, 0, "vnlru auxillary vnodes recovered");
static long auxrecovervnodes2;
SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
        &auxrecovervnodes2, 0, "vnlru auxillary vnodes recovered");

Threat model & preconditions

  • Impact: none security-relevant. The mismatched 4-byte access is in-bounds on an 8-byte-aligned long; the counters are debug-only vnlru stats observed via sysctl debug.auxrecovervnodes{1,2}, root-gated RW, and feed no security-relevant decision. Stats-display/correctness defect only.
--- a/sys/kern/vfs_lock.c
+++ b/sys/kern/vfs_lock.c
@@ -109,7 +109,7 @@
 static long auxrecovervnodes1;
-SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
+SYSCTL_LONG(_debug, OID_AUTO, auxrecovervnodes1, CTLFLAG_RW,
         &auxrecovervnodes1, 0, "vnlru auxillary vnodes recovered");
 static long auxrecovervnodes2;
-SYSCTL_INT(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
+SYSCTL_LONG(_debug, OID_AUTO, auxrecovervnodes2, CTLFLAG_RW,
         &auxrecovervnodes2, 0, "vnlru auxillary vnodes recovered");

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/vfs_lock.c.
  • pending Reported to DragonFlyBSD security contact.