Missing sign/upper-bound validation on vpcount before heap alloc + file read (negative->huge kmalloc M_WAITOK DoS)
| Field | Value |
|---|---|
| ID | DF-0071 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CWE | CWE-20 Improper Input Validation |
| File | sys/kern/kern_checkpoint.c |
| Lines | 561-569 |
| Area | kern (checkpoint/restore) |
| Confidence | likely |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
elf_gettextvp (sys/kern/kern_checkpoint.c:561): vpcount (declared int at
:538) is read directly from the untrusted checkpoint file and used immediately
as the multiplier for kmalloc(sizeof(struct vn_hdr) * vpcount, M_TEMP, M_WAITOK)
(:563) and read_check(..., sizeof(struct vn_hdr)*vpcount) (:564) with no
check that vpcount >= 0 and no upper bound. A negative vpcount is converted
to a near-SIZE_MAX value when promoted to size_t, yielding an impossibly large
kmalloc; with M_WAITOK this loops/panics the kernel (unrecoverable local DoS).
Contrast with elf_getnotes which bounds nthreads against CKPT_MAXTHREADS
(:188) — vpcount has no equivalent.
Reachability: sys_checkpoint(CKPT_THAW,...); root/wheel-only under default
ckptgroup=0.
Recommended fix
--- a/sys/kern/kern_checkpoint.c
+++ b/sys/kern/kern_checkpoint.c
@@ if ((error = read_check(fp, &vpcount, sizeof(int))) != 0)
goto done;
+if (vpcount < 0 || vpcount > CKPT_MAXVNS) { error = EINVAL; goto done; }
vnh = kmalloc(sizeof(struct vn_hdr) * vpcount, M_TEMP, M_WAITOK);
(Define CKPT_MAXVNS, e.g. 1024, plus a SIZE_MAX/sizeof(struct vn_hdr) guard.)
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/kern_checkpoint.c. - pending Reported to DragonFlyBSD security contact.