DragonFlyBSD Kernel Audit
← dashboard
DF-0278

Kernel pointer leak via DIOCGETADDR: bcopy of pf_pooladdr exposes pfi_kif*

Summary

DIOCGETADDR(:2220) bcopy(pa,&pp->addr,sizeof(pf_pooladdr)). Contains pfi_kif* and TAILQ_ENTRY pointers. pf_addr_copyout only scrubs addr not linkage. KASLR bypass. Root-only.