DF-0073
Pointless cfi++ causes 1-element OOB read in DEBUG builds (elf_getfiles)
| Field | Value |
|---|---|
| ID | DF-0073 |
| Status | new |
| Severity | Info |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N |
| CWE | CWE-125 Out-of-bounds Read |
| File | sys/kern/kern_checkpoint.c |
| Lines | 667-674 |
| Area | kern (checkpoint/restore) |
| Confidence | certain |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
In the elf_getfiles consumption loop, cfi is freshly set to &cfi_base[i] at
the top of each iteration (:618), but at sys/kern/kern_checkpoint.c:673 a
stray cfi++; increments it to &cfi_base[i+1] purely so the DEBUG-only
PRINTF at :674 can print the next entry's cfi_index. On the final
iteration (i == filecount-1), cfi_base[i+1] == cfi_base[filecount] is one
element past the allocated array → 1-element OOB read of an int. In non-DEBUG
builds PRINTF expands to nothing (sys/sys/ckpt.h:106) so the read is not
evaluated, but the cfi++ still executes (harmless, cfi goes out of scope).
No production impact.
Recommended fix
Delete the stray cfi++; at :673 and change :674 to print the pre-increment
cfi->cfi_index, or remove the PRINTF.
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/kern_checkpoint.c. - pending Reported to DragonFlyBSD security contact.