DragonFlyBSD Kernel Audit
← dashboard
DF-0307

Kernel heap/code pointer leak via SYSCTL_OPAQUE of mfctable and viftable to unprivileged users

Summary

mfctable(:90-91) and viftable(:95-96) exported verbatim SYSCTL_OPAQUE CTLFLAG_RD to any user. struct mfc carries mfc_next/mfc_stall/mfc_bw_meter ptrs. struct vif carries v_ifp/v_tbf/v_rsvpd/v_route ptrs. sysctl net.inet.ip.viftable -> raw kernel addresses. KASLR bypass.