DragonFlyBSD Kernel Audit
← dashboard
DF-0252

Theoretical cross-field torn-read between sys_profil multi-field update and addupc

Summary

sys_profil(:68-74) writes pr_off/pr_scale/pr_base/pr_size as 4 separate stores under p_token+crit_enter. addupc_intr/task(:108,:134) read WITHOUT p_token. Cross-field torn read theoretical. Likely mitigated: crit_enter blocks statclock on same CPU, process runs on one CPU. pr_size bounds check + copyin fault handling backstop.