DragonFlyBSD Kernel Audit
← dashboard
DF-0096

sglist_join has reversed bcopy arguments - joins produce stale/garbage segments (dead code, identical to upstream FreeBSD)

Summary

sglist_join (subr_sglist.c:613-614): documented to append second->first but bcopy(first->sg_segs+first_nseg, second->sg_segs+append,...) copies FROM first uninit tail INTO second (reversed args bcopy(from,to,len)). first->sg_nseg bumped (:615) as if appended but slots never written -> stale heap data treated as sg_segs -> DMA to attacker-influenced addrs / heap info leak if copied out. Identical bug in upstream FreeBSD. ZERO in-tree callers (only def+proto). Exported symbol KLD could trip. Fix: swap args bcopy(second->sg_segs+append, first->sg_segs+first_nseg,...).