DragonFlyBSD Kernel Audit
← dashboard
DF-0066

Undefined behavior: shift by sysctl-controlled token_window_shift in backoff spin

Summary

_lwkt_trytokref_spin (lwkt_token.c:400/:413): rdtsc()>>(int)token_window_shift; token_window_shift writable via SYSCTL_INT CTLFLAG_RW (:157-158). rdtsc returns tsc_uclock_t 64-bit unsigned. If root sets negative or >=64, shift is UB (C11 6.5.7). Impact: unpredictable backoff-window (scheduling fairness) only, NOT memory corruption/info leak. Root-only. Fix: clamp [0,63] or mask &63.