โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0490

Type confusion in in_lifaddr_ioctl: AF_INET6 check matches IPv6 addresses cast to in_ifaddr โ€” unpriv heap OOB read/info leak via SIOCGLIFADDR

Summary

in_lifaddr_ioctl(:911): if(ifa->ifa_addr->sa_family != AF_INET6) continue โ€” uses AF_INET6 in IPv4 handler, should be AF_INET. Skips all IPv4 addrs, matches only IPv6. Line :923 casts in6_ifaddr as in_ifaddr. Struct layout mismatch: in_ifaddr.ia_addr at ~72 bytes from start, in6_ifaddr at different offset. Line :927 bcopy(&ia->ia_addr, &iflr->addr, ia->ia_addr.sin_len) reads sin_len byte from wrong offset (middle of in6 dstaddr) โ€” arbitrary byte value controls bcopy length -> heap OOB read up to 255 bytes past allocation. SIOCGLIFADDR has NO privilege check: :443 case SIOCGLIFADDR falls through from SIOCALIFADDR/SIOCDLIFADDR priv gate at :437-441 without check. Any local user calls SIOCGLIFADDR on lo0 (has ::1 by default) -> matches first AF_INET6 -> heap leak copyout to caller. KASLR bypass. Large sin_len crossing unmapped page -> panic. DragonFly-specific typo (FreeBSD uses AF_INET). Fix: change AF_INET6->AF_INET at :911; validate sin_len==sizeof(sockaddr_in).