DragonFlyBSD Kernel Audit
← dashboard
DF-0065

OOB read of thread struct before panic in lwkt_reltoken assertion path (console-only, no userspace leak)

Summary

lwkt_reltoken (lwkt_token.c:841-854): when token stack empty (td_toks_stop==td_toks_base), ref=td_toks_stop-1 points before td_toks_array[0] into td_toks_have/td_kfpuctx (thread.h:328-331). First clause ref<&td_toks_base short-circuits correctly but kprintf (:845-846) UNCONDITIONALLY derefs ref->tr_tok/tr_count/tr_owner reading 24 bytes before array. Data only to console via kprintf, function panics immediately (:853). NO userspace info leak, NO memory corruption. Trigger requires kernel programming bug (reltoken with none held). Hardening only.