DragonFlyBSD Kernel Audit
← dashboard
DF-0195

Unlocked devstat list: concurrent device detach vs sysctl walk yields UAF (world-readable sysctl)

Summary

device_statq STAILQ mutated by devstat_add/remove(no lock) traversed by sysctl_devstat(no lock,world-readable). STAILQ_NEXT cached(:291) then SYSCTL_OUT(:292). Concurrent detach+kfree -> SYSCTL_OUT reads freed memory. Unpriv user sysctl kern.devstat.all vs USB/CAM/md detach. Panic or heap info leak.