DragonFlyBSD Kernel Audit
← dashboard
DF-0103

p_tracenode/p_traceflag mutated without target p_token -> refcount double-drop/UAF and NULL-deref TOCTOU

Summary

sys_ktrace by-pid ktrops(td,p,...) (:386) and by-pg LIST_FOREACH (:369) and ktrace_clear_callback allproc_scan (:412-427) and ktrwrite (:608-610 comment XXX not MP safe) all mutate/read target p_tracenode/p_traceflag WITHOUT holding p->p_token (code self-documents NOT MPSAFE yet :405). KTROP_SET oldnode=p_tracenode assign new ktrdestroy(&oldnode) (:514-518); two concurrent ktrace() on same pid each snapshot oldnode=A then each ktrdestroy(&A) -> double-free/UAF (ktrdestroy atomic_fetchadd on freed :481-486). ktrwrite NULL-check+inherit TOCTOU :608-610 if concurrent clearer NULLs between -> vn_lock(NULL) panic :633. Unprivileged self/child trace no special config. Impact: kernel panic (DoS) controlled UAF plausible. Fix: acquire p_token around ktrops/ktrsetchildren/clear_callback/ktrwrite.