DragonFlyBSD Kernel Audit
← dashboard
DF-0095

Per-process shmmap_state sized at alloc-time shmseg but all loops re-read LIVE root-writable shminfo.shmseg - OOB when raised

Summary

shmmap_state allocated per-vmspace lazily sys_shmat (:284) size=shminfo.shmseg*sizeof capturing value at first-attach. Loops in shmat (:312) shmdt (:242) shmexit (:674) shmfork (:654/:658) ALL re-read LIVE shminfo.shmseg which is CTLFLAG_RW root-writable (:138). Root raises kern.ipc.shmseg after existing processes allocated smaller buffer -> OOB read (shmmap_s[i].{shmid,va,reserved}) and write (reserved/shmid/va stores) past kmalloc. shmfork bcopy new_shmseg entries from undersized parent -> heap OOB read inherited by child. shm_delete_mapping (:197-217) segnum=IPCID_TO_IX(garbage_shmid) no bounds check -> OOB index shmsegs[] -> vm_object_deallocate on attacker-influenced ptr. Root-triggerable victim any unpriv process with existing vm_shm.