โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0057

Missing e_shentsize validation causes heap OOB read on shdr[] array

All 7 are root-only (kldload needs SYSCAP_NOKLD), defense-in-depth (root already owns the kernel via a valid .ko's SYSINIT), and several are analogues of the link_elf_obj.c findings DF-0040/41/42 in this sibling file.


DF-0057 โ€” Missing e_shentsize validation โ†’ heap OOB read on shdr[]

Field Value
Severity Low

kmalloc(e_shnum*e_shentsize) (:593) but no e_shentsize == sizeof(Elf_Shdr) check; shdr[i] indexed with 64-byte stride. If e_shentsize < 64 the allocation is too small โ†’ shdr[i] OOB read. Sibling link_elf_obj.c:499 validates; this file omits. Fix: reject e_shentsize != sizeof(Elf_Shdr).


Field Value
Severity Low

symstrindex = shdr[i].sh_link (Elf64_Word) set with no bounds check vs e_shnum (DF-0040 in link_elf_obj.c had an off-by-one >; this file has zero check). shdr[symstrindex].sh_size/sh_offset deref at :612/:620 is OOB if symstrindex >= e_shnum. Fix: if (shdr[i].sh_link >= hdr->e_shnum) continue;.


DF-0059 โ€” Uninitialized segs[1]/segs[0] dereference when fewer than 2 PT_LOAD

Field Value
Severity Low

segs[2] uninitialized stack (:399); :531 checks phdyn != NULL but not nsegs == 2; :541-542 unconditionally derefs segs[0]/segs[1]. Crafted ELF with PT_DYNAMIC but 0/1 PT_LOAD โ†’ wild deref โ†’ panic. Fix: require nsegs == 2 before the derefs.


DF-0060 โ€” DT_HASH d_ptr dereferenced without bounds โ†’ wild kernel read

Field Value
Severity Low

parse_dynamic DT_HASH: hashtab = ef->address + dp->d_un.d_ptr with no d_ptr < lf->size check; immediate hashtab[0]/hashtab[1] deref โ†’ wild read from ef->address + arbitrary_offset. Same gap in DT_STRTAB/DT_SYMTAB/DT_REL/ DT_RELA/DT_JMPREL/DT_PLTGOT. Fix: if (dp->d_un.d_ptr >= lf->size) return ENOEXEC; in each case.


DF-0061 โ€” Relocation r_offset never bounds-checked (DF-0042 analogue, wild write)

Field Value
Severity Low

relocate_file dispatches each rel/rela to elf_reloc with no r_offset < lf->size check; arch helper (elf_machdep.c:90) writes *(relocbase + r_offset). Crafted r_offset yields wild write of symbol-resolved value past the module buffer. Same gap in link_elf_reloc_local (:1024-1051). Fix: skip r_offset >= lf->size entries.


DF-0062 โ€” Unbounded st_name into strtab (DF-0041 analogue, OOB read via strcmp)

Field Value
Severity Low

Every strtab name site does ef->strtab + symp->st_name without checking st_name < ef->strsz; strtab has no guaranteed NUL; crafted st_name >= strsz โ†’ strcmp walks off the allocation (panic / heap info-leak). Fix: guard st_name < strsz/ddbstrcnt at each site; NUL-terminate the strtab allocation.


Field Value
Severity Low

while (symnum != STN_UNDEF) follows ef->chains[symnum] (attacker-controlled module buffer); the bounds check at :813 only rejects symnum >= nchains, no cycle detection; crafted 2-cycle (chains[1]=2, chains[2]=1) โ†’ infinite loop pinning a CPU during relocate_file. Fix: cap iterations at nchains (a valid chain visits each symbol at most once).


Common notes

All 7 are root-only defense-in-depth. Each has a concrete, one-line or few-line fix. The fixes for DF-0058/0061/0062 mirror the fixes already proposed for DF-0040/0042/0041 in the sibling link_elf_obj.c.