DragonFlyBSD Kernel Audit
← dashboard
DF-0062

Unbounded st_name offsets into strtab (DF-0041 analogue, heap OOB read via strcmp)

Summary

Every strtab name site (link_elf.c:698/824/847/871/879/1016) does ef->strtab+symp->st_name (Elf64_Word uint32) without checking st_name<ef->strsz (DT_STRSZ); strtab has no guaranteed NUL; crafted st_name>=strsz -> strcmp walks off allocation (panic/heap info leak). DF-0041 analogue (link_elf_obj.c). Root-only defense-in-depth.