DragonFlyBSD Kernel Audit
← dashboard
DF-0077

Uninitialized kernel stack bytes leaked via kern.ntp_pll.gettime sysctl (struct ntptimeval trailing padding)

Summary

ntp_sysctl (kern_ntptime.c:208): struct ntptimeval ntv on stack, only named fields set (:215-220 time.tv_sec/nsec maxerror esterror tai time_state). LP64 layout {timespec(16)+long(8)*3+int(4)}=44 bytes padded to 48 (4 trailing bytes unaligned). sysctl_handle_opaque copies sizeof(ntv)=48 incl 4 uninit stack bytes (:254). CTLFLAG_RD no priv gate (:261-262). Any unpriv user sysctl kern.ntp_pll.gettime leaks 4 bytes stale kernel stack per call (KASLR bypass / sensitive residue). FreeBSD fixed equivalent pattern.