DragonFlyBSD Kernel Audit
← dashboard
DF-0075

DIOCGSLICEINFO leaks kernel pointers (KASLR bypass) via raw struct diskslices copyout

Field Value
ID DF-0075
Status new
Severity Medium
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
File sys/kern/subr_diskslice.c
Lines 556-559
Area kern (disk slice / disklabel parsing)
Confidence likely
Discovered 2026-06-30
Reported pending

Summary

Independent of the heap overflow (DF-0074), the DIOCGSLICEINFO bcopy at sys/kern/subr_diskslice.c:557 returns the raw in-kernel struct diskslices (followed by every struct diskslice) to userspace via the copyout in mapped_ioctl (sys_generic.c:729). That structure contains, and exposes verbatim, multiple kernel virtual addresses:

  • dss_cdevsw (struct cdevsw *, diskslice.h:168)
  • per-slice ds_dev (cdev_t = struct cdev *)
  • ds_label.opaque (void * to a kmalloc'd label or NULL)
  • ds_ops (static kernel-data pointer to disklabel32_ops/disklabel64_ops)
  • ds_devs[MAXPARTITIONS] pointer array (diskslice.h:144-158)

A local user who can open a slice device can read kernel .text/.data and kmalloc-heap pointers, defeating KASLR and easing exploitation of separate memory-corruption bugs — including DF-0074 in the same ioctl. This happens on every DIOCGSLICEINFO call, not only for GPT disks.

Stop returning the raw kernel structure. Define a separate ioctl output structure containing only public, non-pointer fields (offsets, sizes, types, UUIDs, openmasks) and copy those field-by-field into a bzero'd output buffer. At minimum, zero every pointer-valued field before the bcopy.

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/subr_diskslice.c.
  • pending Reported to DragonFlyBSD security contact.