DragonFlyBSD Kernel Audit
← dashboard
DF-0137

Unlocked TAILQ traversal in varsymset_init() during fork: data race/UAF

Summary

varsymset_init(:519-531) copies source varsymset via TAILQ_FOREACH without acquiring copy->vx_lock. Caller fork1(kern_fork.c:646) passes &p1->p_varsymset. Concurrent LWP varsym_set(VARSYM_PROC)->varsymmake modifies TAILQ under LK_EXCLUSIVE(:457) and kfrees entries. Unlocked traversal follows freed ve pointer -> UAF. varsymdup(:510) non-atomic ++vs_refs also racy. TAILQ corruption -> panic/UAF.