DragonFlyBSD Kernel Audit
← dashboard
DF-0114

PT_IO trusts user piod_len without bounds check; narrows size_t into ssize_t uio_resid

Summary

PT_IO path assigns piod->piod_len(size_t) directly to uio_resid(ssize_t)(:442). piod_len>SSIZE_MAX becomes negative uio_resid. No corruption: procfs_rwmem clamps via szmin(PAGE_SIZE,...) per iteration. Only effect: garbage piod_len accounting returned. Hardening gap.