โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0054

Truncated prison-id sysctl node name in prison_sysctl_create (off-by-one in ksnprintf size)

Field Value
ID DF-0054
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE CWE-193 Off-by-one Error
File sys/kern/kern_jail.c
Lines 993-994
Area kern
Confidence certain
Discovered 2026-06-29
Reported pending

Summary

prison_sysctl_create() declares char id_str[7] (correctly sized: JAIL_MAX = 999999 โ‡’ up to 6 digits + NUL) but calls ksnprintf(id_str, 6, "%d", pr->pr_id) โ€” the size should be sizeof(id_str) (7), not 6. With size=6, ksnprintf writes at most 5 chars + NUL, truncating every 6-digit pr_id (100000โ€“999998, half of the legal range) to its leading 5 digits. The resulting per-prison sysctl node name (_jail.<id>) collides: ids 100000โ€“100009 all map to "10000", etc., so jail-management tools addressing a prison via sysctl kern.jail.<id>.* silently target the wrong prison (or fail on the duplicate name).

Root cause

sys/kern/kern_jail.c:993-994:

char id_str[7];
ksnprintf(id_str, 6, "%d", pr->pr_id);     /* size=6 should be sizeof(id_str)=7 */
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -993
-   ksnprintf(id_str, 6, "%d", pr->pr_id);
+   ksnprintf(id_str, sizeof(id_str), "%d", pr->pr_id);

References

Timeline

  • 2026-06-29 Discovered during automated file-by-file audit of sys/kern/kern_jail.c.
  • pending Reported to DragonFlyBSD security contact.