DragonFlyBSD Kernel Audit
← dashboard
DF-0333

Kernel pointer leak to unprivileged users via in_pcblist_range xinpcb dump

Summary

in_pcblist_range(:2467-2471) bcopy entire struct inpcb (with ~12 kernel pointers: inp_hash/list/portlist links, inp_ppcb, inp_pcbinfo, inp_socket, inp_porthash, inp_phd, inp_options, inp_moptions, inp_route.ro_rt, inp_pf_sk) into xinpcb exported via CTLFLAG_RD pcblist sysctls. No privilege gate. Any unpriv: sysctl net.inet.udp.pcblist -> KASLR bypass + heap layout.