MEMRANGE_SET ioctl bypasses securelevel (mem_ioctl never checks FWRITE flag)
| Field | Value |
|---|---|
| ID | DF-0080 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| CWE | CWE-862 Missing Authorization |
| File | sys/kern/kern_memio.c |
| Lines | 521-571 |
| Area | kern (/dev/mem driver) |
| Confidence | likely |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
mmopen enforces securelevel > 0 || kernel_mem_readonly only when /dev/mem
is opened with FWRITE (kern_memio.c:155-158). At securelevel > 0 a root
process may open /dev/mem with O_RDONLY (FREAD only) and the securelevel
check is skipped entirely. mmioctl dispatches MEMRANGE_SET straight to
mem_ioctl without checking a_fflag, and mem_ioctl (:521-571) receives the
flags argument but never inspects it. mem_range_attr_set() calls
mem_range_softc.mr_op->set(), which on amd64 is amd64_mrset
(amd64_mem.c:528-599) — that path writes MTRR MSRs, changing physical memory
caching attributes.
This bypasses the securelevel security boundary for privileged memory-attribute
manipulation. FreeBSD guards this with if (!(flags & FWRITE)) return (EPERM);
in the MEMRANGE_SET case; that guard is absent here.
Recommended fix
--- a/sys/kern/kern_memio.c
+++ b/sys/kern/kern_memio.c
@@ case MEMRANGE_SET:
+ if ((flags & FWRITE) == 0)
+ return (EPERM);
md = kmalloc(sizeof(*md), M_MEMDESC, M_WAITOK);
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/kern_memio.c. - pending Reported to DragonFlyBSD security contact.