DF-0307
Kernel heap/code pointer leak via SYSCTL_OPAQUE of mfctable and viftable to unprivileged users
Summary
mfctable(:90-91) and viftable(:95-96) exported verbatim SYSCTL_OPAQUE CTLFLAG_RD to any user. struct mfc carries mfc_next/mfc_stall/mfc_bw_meter ptrs. struct vif carries v_ifp/v_tbf/v_rsvpd/v_route ptrs. sysctl net.inet.ip.viftable -> raw kernel addresses. KASLR bypass.