โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0072

Missing sign/upper-bound validation on cfh_nfiles before heap alloc + file read (DoS; 32-bit integer-overflow heap OOB)

Field Value
ID DF-0072
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CWE CWE-190 Integer Overflow or Wraparound
File sys/kern/kern_checkpoint.c
Lines 596-675
Area kern (checkpoint/restore)
Confidence likely
Discovered 2026-06-30
Reported pending

Summary

elf_getfiles (sys/kern/kern_checkpoint.c:598-600): filecount = filehdr.cfh_nfiles where cfh_nfiles is int (sys/sys/ckpt.h:47). It is used directly as kmalloc(filecount*sizeof(struct ckpt_fileinfo), M_TEMP, M_WAITOK) (:599) and read_check(fp, cfi_base, filecount*sizeof(struct ckpt_fileinfo)) (:600) with no sign or magnitude check.

  • Same root DoS as DF-0071: negative filecount โ†’ SIZE_MAX-promoted kmalloc with M_WAITOK โ†’ panic/hang.
  • More severe on 32-bit (i386): choose filecount โ‰ˆ 2^32 / sizeof(struct ckpt_fileinfo) so the product wraps a 32-bit size_t to a small value. kmalloc(small) succeeds; read_check reads only small bytes; but the consumption loop at :617 indexes cfi_base[i] for i up to the original huge filecount โ†’ heap OOB read and (via fhold/fsetfd side effects on OOB-derived cfi fields) potential heap corruption. On 64-bit the multiplication cannot overflow size_t, so impact is DoS only.

Reachability: sys_checkpoint(CKPT_THAW,...); root/wheel-only under default ckptgroup=0.

--- a/sys/kern/kern_checkpoint.c
+++ b/sys/kern/kern_checkpoint.c
@@ filecount = filehdr.cfh_nfiles;
+if (filecount < 0 || filecount > CKPT_MAXFILES) { error = EINVAL; goto done; }
+if ((size_t)filecount > SIZE_MAX / sizeof(struct ckpt_fileinfo)) { error = EINVAL; goto done; }
 cfi_base = kmalloc(filecount*sizeof(struct ckpt_fileinfo), M_TEMP, M_WAITOK);

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_checkpoint.c.
  • pending Reported to DragonFlyBSD security contact.