DragonFlyBSD Kernel Audit
← dashboard
DF-0071

Missing sign/upper-bound validation on vpcount before heap alloc + file read (negative->huge kmalloc M_WAITOK DoS)

Field Value
ID DF-0071
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE CWE-20 Improper Input Validation
File sys/kern/kern_checkpoint.c
Lines 561-569
Area kern (checkpoint/restore)
Confidence likely
Discovered 2026-06-30
Reported pending

Summary

elf_gettextvp (sys/kern/kern_checkpoint.c:561): vpcount (declared int at :538) is read directly from the untrusted checkpoint file and used immediately as the multiplier for kmalloc(sizeof(struct vn_hdr) * vpcount, M_TEMP, M_WAITOK) (:563) and read_check(..., sizeof(struct vn_hdr)*vpcount) (:564) with no check that vpcount >= 0 and no upper bound. A negative vpcount is converted to a near-SIZE_MAX value when promoted to size_t, yielding an impossibly large kmalloc; with M_WAITOK this loops/panics the kernel (unrecoverable local DoS). Contrast with elf_getnotes which bounds nthreads against CKPT_MAXTHREADS (:188) — vpcount has no equivalent.

Reachability: sys_checkpoint(CKPT_THAW,...); root/wheel-only under default ckptgroup=0.

--- a/sys/kern/kern_checkpoint.c
+++ b/sys/kern/kern_checkpoint.c
@@ if ((error = read_check(fp, &vpcount, sizeof(int))) != 0)
    goto done;
+if (vpcount < 0 || vpcount > CKPT_MAXVNS) { error = EINVAL; goto done; }
 vnh = kmalloc(sizeof(struct vn_hdr) * vpcount, M_TEMP, M_WAITOK);

(Define CKPT_MAXVNS, e.g. 1024, plus a SIZE_MAX/sizeof(struct vn_hdr) guard.)

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_checkpoint.c.
  • pending Reported to DragonFlyBSD security contact.