soisconnected derefs head->so_accf based on inherited child SO_ACCEPTFILTER flag (NULL-deref/UAF race)
| Field | Value |
|---|---|
| ID | DF-0076 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CWE | CWE-476 NULL Pointer Dereference |
| File | sys/kern/uipc_socket2.c |
| Lines | 252-261 |
| Area | kern (socket layer) |
| Confidence | speculative |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
In soisconnected(), the test (so->so_options & SO_ACCEPTFILTER) != 0
(uipc_socket2.c:253) reads the child's options flag, which was inherited
from head at sonewconn_faddr time (so->so_options = head->so_options &~
SO_ACCEPTCONN, :376 — set without the pool token). The branch then
dereferences head->so_accf->so_accept_filter->accf_callback (:254) without
re-checking that head still has an installed filter.
If, between sonewconn_faddr() and the later soisconnected() call on the
in-progress child, the listening socket's owner removes the accept filter via
setsockopt(SOL_SOCKET, SO_ACCEPTFILTER, NULL), do_setopt_accept_filter()
frees head->so_accf and sets it to NULL (uipc_socket.c:2018-2019). The child
still carries the inherited flag, so the deref at :254 hits NULL (kernel panic,
local DoS) — or, in the kfree()-to-NULL-assignment window, a dangling pointer
(UAF).
The head pool token is held at :244, but it is unclear whether the setsockopt
removal path takes the same token. Listen sockets are explicitly not per-CPU
(comment at :263-265), so cross-CPU races are plausible.
Marked speculative because the dispatch/locking model may serialize this in practice; a maintainer should confirm.
Recommended fix
Re-check head->so_accf != NULL under the pool token, and test the head's
flag rather than the child's:
--- a/sys/kern/uipc_socket2.c
+++ b/sys/kern/uipc_socket2.c
@@ if (head && (so->so_state & SS_INCOMP)) {
- if ((so->so_options & SO_ACCEPTFILTER) != 0) {
+ if ((head->so_options & SO_ACCEPTFILTER) != 0 && head->so_accf != NULL) {
so->so_upcall = head->so_accf->so_accept_filter->accf_callback;
Additionally, have do_setopt_accept_filter() take the head pool token when
clearing so_accf so the read is serialized against removal.
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/uipc_socket2.c. - pending Reported to DragonFlyBSD security contact.