DragonFlyBSD Kernel Audit
← dashboard
DF-0157

xio_uio_copy missing upper-bound check; KKASSERT(bytes>=0) is tautology on unsigned size_t

Summary

xio_uio_copy(:196-213) has no uoffset>xio_bytes guard unlike 4 sibling functions. KKASSERT(bytes>=0)(:205) is tautological on size_t. Negative uoffset -> xio_bytes-uoffset wraps to SIZE_MAX -> uiomove_fromphys OOB read xio_pages[]. No current in-tree trigger (vfs_journal internal offsets).