DragonFlyBSD Kernel Audit
← dashboard
DF-0139

SLEEPQ_HASH misplaced mask causes massive OOB index into sleepq_chains array

Summary

SLEEPQ_HASH(:82-83) = ((wchan>>10) ^ (wchan & SLEEPQ_HMASK)) -- the & SLEEPQ_HMASK masks ONLY the second XOR operand, not the whole result. For typical kernel pointers, hash returns ~54-bit value, but sleepq_chains has only 1024 entries. SLEEPQ_LOOKUP(:85) = &sleepq_chains[huge] -> wild OOB pointer -> spin_lock on arbitrary address. IMMEDIATE panic/memory corruption on first call. Currently DEAD CODE (zero in-tree callers, compiled into kernel). Fires the instant Linux KPI compat is wired up.