DragonFlyBSD Kernel Audit
← dashboard
DF-0381

NGM_LISTHOOKS dereferences hook->peer without lock or ref: TOCTOU NULL-deref/UAF vs concurrent disconnect

Summary

NGM_LISTHOOKS loop(:1374-1393) checks HK_INVALID then derefs hook->peer->name, hook->peer->node->name etc. No lock/ref couples HK_INVALID check to peer deref. ng_destroy_hook(:815-827) sets HK_INVALID then NULLs hook->peer. Concurrent disconnect on another CPU can NULL peer between check(:1382) and deref(:1385+). Also LIST_FOREACH not LIST_FOREACH_SAFE vs concurrent LIST_REMOVE. Panic potential. Low confidence: netisr/mplock serializes most control paths.