DIOCGSLICEINFO leaks kernel pointers (KASLR bypass) via raw struct diskslices copyout
| Field | Value |
|---|---|
| ID | DF-0075 |
| Status | new |
| Severity | Medium |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CWE | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor |
| File | sys/kern/subr_diskslice.c |
| Lines | 556-559 |
| Area | kern (disk slice / disklabel parsing) |
| Confidence | likely |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
Independent of the heap overflow (DF-0074), the DIOCGSLICEINFO bcopy at
sys/kern/subr_diskslice.c:557 returns the raw in-kernel struct
diskslices (followed by every struct diskslice) to userspace via the
copyout in mapped_ioctl (sys_generic.c:729). That structure contains, and
exposes verbatim, multiple kernel virtual addresses:
dss_cdevsw(struct cdevsw *,diskslice.h:168)- per-slice
ds_dev(cdev_t = struct cdev *) ds_label.opaque(void *to a kmalloc'd label or NULL)ds_ops(static kernel-data pointer todisklabel32_ops/disklabel64_ops)ds_devs[MAXPARTITIONS]pointer array (diskslice.h:144-158)
A local user who can open a slice device can read kernel .text/.data and
kmalloc-heap pointers, defeating KASLR and easing exploitation of separate
memory-corruption bugs — including DF-0074 in the same ioctl. This happens on
every DIOCGSLICEINFO call, not only for GPT disks.
Recommended fix
Stop returning the raw kernel structure. Define a separate ioctl output
structure containing only public, non-pointer fields (offsets, sizes, types,
UUIDs, openmasks) and copy those field-by-field into a bzero'd output buffer.
At minimum, zero every pointer-valued field before the bcopy.
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/subr_diskslice.c. - pending Reported to DragonFlyBSD security contact.