DragonFlyBSD Kernel Audit
← dashboard
DF-0183

UAF of tsleep wait channel when racing unregister of in-flight resident image

Summary

sys_exec_sys_unregister drops excl lock(:292), tsleep(vmres,...)(:293). Concurrent unregister can TAILQ_REMOVE+vdrop+vmspace_rel+kfree(vmres)(:301-311). First thread sleeping on freed vmres address. 1-tick timeout self-wakes. UAF of wchan; scheduling correctness bug / lost wakeups. Root-only.