DragonFlyBSD Kernel Audit
← dashboard
DF-0073

Pointless cfi++ causes 1-element OOB read in DEBUG builds (elf_getfiles)

Field Value
ID DF-0073
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N
CWE CWE-125 Out-of-bounds Read
File sys/kern/kern_checkpoint.c
Lines 667-674
Area kern (checkpoint/restore)
Confidence certain
Discovered 2026-06-30
Reported pending

Summary

In the elf_getfiles consumption loop, cfi is freshly set to &cfi_base[i] at the top of each iteration (:618), but at sys/kern/kern_checkpoint.c:673 a stray cfi++; increments it to &cfi_base[i+1] purely so the DEBUG-only PRINTF at :674 can print the next entry's cfi_index. On the final iteration (i == filecount-1), cfi_base[i+1] == cfi_base[filecount] is one element past the allocated array → 1-element OOB read of an int. In non-DEBUG builds PRINTF expands to nothing (sys/sys/ckpt.h:106) so the read is not evaluated, but the cfi++ still executes (harmless, cfi goes out of scope). No production impact.

Delete the stray cfi++; at :673 and change :674 to print the pre-increment cfi->cfi_index, or remove the PRINTF.

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_checkpoint.c.
  • pending Reported to DragonFlyBSD security contact.