DragonFlyBSD Kernel Audit
← dashboard
DF-0426

MFC table protected only by crit_enter (local-CPU) not token/lock: cross-CPU UAF race

Summary

mf6ctable/n6expire/stall queues manipulated under crit_enter only — blocks local CPU interrupts but NOT other CPUs. ip6_mforward/ip6_mdq run from IPv6 input on any CPU (no ASSERT_NETISR0 here unlike init/done). get_sg_cnt(:359-365) and ip6_mforward(:993-999) drop crit then deref rt from MF6CFIND. del_m6fc(:907)/expire_upcalls_dispatch(:1254) kfree entries another CPU may hold -> UAF. Confidence low: depends whether multicast input is funneled to netisr0.