DragonFlyBSD Kernel Audit
← dashboard
DF-0061

Relocation r_offset never bounds-checked against module size (DF-0042 analogue, wild write)

Summary

relocate_file (link_elf.c:714-767): no r_offset<lf->size check before elf_reloc; arch helper elf_machdep.c:90 where=relocbase+r_offset *where=val -> crafted r_offset yields wild write of symbol-resolved value to ef->address+r_offset past module buffer. Same gap in link_elf_reloc_local (:1024-1051). DF-0042 analogue (link_elf_obj.c). Root-only defense-in-depth.