DragonFlyBSD Kernel Audit
← dashboard
DF-0402

Direct kernel dereference of user-controlled pointer in netmap_bdg_learning before copyin: panic or kernel info-leak

Summary

nm_bdg_preflush(:994) NS_INDIRECT: ft_buf=(void*)(uintptr_t)slot->ptr — raw user pointer. netmap_bdg_learning(:1107-1108): dmac=le64toh(*(uint64_t*)buf); smac=le64toh(*(uint64_t*)(buf+4)) dereferences raw user pointer BEFORE copyin in second pass(:1339). SMAP: user addr -> supervisor fault -> panic. Kernel addr: reads 14 bytes kernel memory -> MAC hash/forwarding side-channel. Dev 0660 root:wheel.