DragonFlyBSD Kernel Audit
← dashboard
DF-0336

tcp6_getcred hands live cred pointer to blocking copyout (UAF window) unlike IPv4 path

Summary

tcp6_getcred(:1387) SYSCTL_OUT(req,inp->inp_socket->so_cred,sizeof(ucred)) directly — IPv4 twin(:1350) copies to stack local first. copyout can sleep; connection torn down during sleep -> UAF of ucred. Also no lwkt_migratecpu(0) unlike IPv4. Root-only.