DragonFlyBSD Kernel Audit
← dashboard
DF-0060

DT_HASH d_ptr dereferenced without bounds validation - wild kernel read in parse_dynamic

Summary

parse_dynamic (link_elf.c:240-248): DT_HASH case computes hashtab=ef->address+dp->d_un.d_ptr (d_ptr is Elf64_Xword uint64) with no d_ptr<lf->size check; immediate hashtab[0]/hashtab[1] deref -> wild read from ef->address+arbitrary; nbuckets/nchains attacker-influenced control ef->chains wild pointer. Same gap in DT_STRTAB/DT_SYMTAB/DT_REL/DT_RELA/DT_JMPREL/DT_PLTGOT. Root-only defense-in-depth.