DragonFlyBSD Kernel Audit
← dashboard
DF-0149

Signed-integer truncation in TLV walk size math allows backward/OOB pointer movement

Summary

TLV walkers compute int next=sizeof(u32)*2+hdr[1]; roundup(next,sizeof(u_long)). hdr[1] is u_int32_t from boot metadata. >=0x80000000 yields negative int next. roundup() is division-based(sign-preserving) so negative stays negative -> curp walks BACKWARD. Reads precede preload_metadata. len=0xFFFFFFF8 -> next=0 -> boot hang. Boot-time only, requires tampered metadata.