DF-0072
Missing sign/upper-bound validation on cfh_nfiles before heap alloc + file read (DoS; 32-bit integer-overflow heap OOB)
| Field | Value |
|---|---|
| ID | DF-0072 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CWE | CWE-190 Integer Overflow or Wraparound |
| File | sys/kern/kern_checkpoint.c |
| Lines | 596-675 |
| Area | kern (checkpoint/restore) |
| Confidence | likely |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
elf_getfiles (sys/kern/kern_checkpoint.c:598-600): filecount =
filehdr.cfh_nfiles where cfh_nfiles is int (sys/sys/ckpt.h:47). It is used
directly as kmalloc(filecount*sizeof(struct ckpt_fileinfo), M_TEMP, M_WAITOK)
(:599) and read_check(fp, cfi_base, filecount*sizeof(struct ckpt_fileinfo))
(:600) with no sign or magnitude check.
- Same root DoS as DF-0071: negative
filecountโSIZE_MAX-promotedkmallocwithM_WAITOKโ panic/hang. - More severe on 32-bit (i386): choose
filecount โ 2^32 / sizeof(struct ckpt_fileinfo)so the product wraps a 32-bitsize_tto a small value.kmalloc(small)succeeds;read_checkreads onlysmallbytes; but the consumption loop at:617indexescfi_base[i]foriup to the original hugefilecountโ heap OOB read and (viafhold/fsetfdside effects on OOB-derivedcfifields) potential heap corruption. On 64-bit the multiplication cannot overflowsize_t, so impact is DoS only.
Reachability: sys_checkpoint(CKPT_THAW,...); root/wheel-only under default
ckptgroup=0.
Recommended fix
--- a/sys/kern/kern_checkpoint.c
+++ b/sys/kern/kern_checkpoint.c
@@ filecount = filehdr.cfh_nfiles;
+if (filecount < 0 || filecount > CKPT_MAXFILES) { error = EINVAL; goto done; }
+if ((size_t)filecount > SIZE_MAX / sizeof(struct ckpt_fileinfo)) { error = EINVAL; goto done; }
cfi_base = kmalloc(filecount*sizeof(struct ckpt_fileinfo), M_TEMP, M_WAITOK);
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/kern_checkpoint.c. - pending Reported to DragonFlyBSD security contact.