DragonFlyBSD Kernel Audit
← dashboard
DF-0492

Lockless race on L2TP seq/window state: concurrent timer + remote packet processing -> UAF on xwin[] mbufs and node private data

Summary

v1 struct l2tp_seq(:120-137) has NO mutex (ng7 has mtx). Timer callbacks(rack_timeout:1309,xack_timeout:1267) use crit_enter/crit_exit but receive/transmit paths(seq_recv_nr:1129,seq_recv_ns,xmit_ctrl) have NO crit_enter/lock. SMP: truly concurrent. Concrete UAF: CPU A ng_l2tp_seq_recv_nr frees xwin[0..nack-1] via m_freem(:1149-1150)+memmove+memset(:1151-1154). CPU B ng_l2tp_seq_rack_timeout L2TP_COPY_MBUF(xwin[0])(:1351) on mbuf being freed -> UAF in m_copypacket. Refcount also racy: callout_stop(:1185) may return 0 while NG_NODE_REF(:1198)+concurrent NG_NODE_UNREF(:1329) -> premature priv free. Remote attacker floods L2TP ctrl pkts UDP 1701 during timer execution -> race window -> kernel panic/UAF. ng7 fixed this with mtx_init+mtx_lock at 7 sites. Fix: add mutex to l2tp_seq, lock all seq state access.