DragonFlyBSD Kernel Audit
← dashboard
DF-0249

Driver b_resid>b_bcount underflows iolen to huge size_t: oversized copyout leaks kernel heap

Summary

kern_physio.c:112 iolen=b_bcount-b_resid (both int) into size_t. Driver bug b_resid>b_bcount -> negative int -> SIZE_MAX-ish size_t. copyout(:115) reads past b_data disclosing heap. iov_len/uio_resid underflow(:124-127). No defensive clamp. Requires driver accounting error but physio amplifies any error into heap disclosure.