DragonFlyBSD Kernel Audit
← dashboard
DF-0337

tcp_pcblist sysctl raw-copies entire inpcb and tcpcb with kernel pointers to unprivileged users

Summary

tcp_pcblist(:1285,1288) bcopy entire struct inpcb + tcpcb into xtcpcb exported CTLFLAG_RD. ~20+ kernel pointers: inp_socket, inp_ppcb, inp_cred, hash/list links, inp_route.ro_rt, t_inpcb, callouts. Only xt_socket sanitized via sotoxsocket. Any unpriv: sysctl net.inet.tcp.pcblist -> KASLR bypass + heap layout. Same anti-pattern FreeBSD removed.