DragonFlyBSD Kernel Audit
← dashboard
DF-0380

Non-atomic refcount --node->refs/--hook->refs under crit_enter only: cross-CPU UAF/double-free race

Summary

ng_unref(:473-484) decrements node->refs (plain int) via --node->refs under crit_enter/crit_exit only. crit_enter blocks local interrupts/IPIs but NOT other CPUs. Increment sites (ng_add_hook:724, ng_queue_data:1946, ng_queue_msg:1995) use plain ++ with at most crit. Two CPUs racing read-modify-write: refs=N both write N-1 (leak) or both reach <=0 and kfree twice (double-free->UAF). NG_NODE_REF macro uses atomic_add_int(netgraph.h:132) but ng_unref does not — inconsistent. Same for hook->refs(:687-694).