DragonFlyBSD Kernel Audit
← dashboard
DF-0296

UAF/cross-node races: peer hooks/nodes dereferenced without reference or peer-token

Summary

ng_findhook(:1092) takes NO reference (XXX comment). Callers deref hook->hk_peer->hk_peer->hk_node with only local node reader token. ng_destroy_hook frees peer concurrently under TOPOLOGY_WLOCK. ng_path2noderef(:1773-1808), LISTHOOKS(:2246-2265), ng_con_part2(:1414-1424) all affected. Code admits Big race conditions. Root-only ng_socket.