DragonFlyBSD Kernel Audit
← dashboard
DF-0080

MEMRANGE_SET ioctl bypasses securelevel (mem_ioctl never checks FWRITE flag)

Field Value
ID DF-0080
Status new
Severity Low
CVSS 3.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CWE CWE-862 Missing Authorization
File sys/kern/kern_memio.c
Lines 521-571
Area kern (/dev/mem driver)
Confidence likely
Discovered 2026-06-30
Reported pending

Summary

mmopen enforces securelevel > 0 || kernel_mem_readonly only when /dev/mem is opened with FWRITE (kern_memio.c:155-158). At securelevel > 0 a root process may open /dev/mem with O_RDONLY (FREAD only) and the securelevel check is skipped entirely. mmioctl dispatches MEMRANGE_SET straight to mem_ioctl without checking a_fflag, and mem_ioctl (:521-571) receives the flags argument but never inspects it. mem_range_attr_set() calls mem_range_softc.mr_op->set(), which on amd64 is amd64_mrset (amd64_mem.c:528-599) — that path writes MTRR MSRs, changing physical memory caching attributes.

This bypasses the securelevel security boundary for privileged memory-attribute manipulation. FreeBSD guards this with if (!(flags & FWRITE)) return (EPERM); in the MEMRANGE_SET case; that guard is absent here.

--- a/sys/kern/kern_memio.c
+++ b/sys/kern/kern_memio.c
@@ case MEMRANGE_SET:
+   if ((flags & FWRITE) == 0)
+       return (EPERM);
    md = kmalloc(sizeof(*md), M_MEMDESC, M_WAITOK);

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_memio.c.
  • pending Reported to DragonFlyBSD security contact.