DragonFlyBSD Kernel Audit
← dashboard
DF-0277

Kernel pointer leak via DIOCGETRULE: bcopy of pf_rule exposes kif/anchor/rpool.cur/skip[].ptr

Summary

DIOCGETRULE(:1336) bcopy(rule,&pr->rule,sizeof(pf_rule)). struct pf_rule has kernel pointers: entries.tqe_prev/next, rpool.cur, kif, anchor, overload_tbl. Loop only rewrites low 32 bits of skip[]. High 32 bits intact on amd64. KASLR bypass. Root-only.