DragonFlyBSD Kernel Audit
← dashboard
DF-0497

TOCTOU use-after-free on rtentry in ng_btsocket_l2cap_raw_bind: releases rt_lock before storing pointer

Summary

ng_btsocket_l2cap_raw_bind(:690-715): looks up rt under rt_lock, RELEASES rt_lock at :703 before storing pointer at :714. ng_btsocket_l2cap_rtentry has NO refcount(ng_btsocket_l2cap.h:44-48). Between :703 and :712 bind holds NEITHER rt_lock NOR pcb_lock. ng_btsocket_l2cap_raw_rtclean(:450-502) can LIST_REMOVE+kfree rt(:495). bind then stores dangling pcb->rt=rt(:714). Subsequent ioctl derefs pcb->rt->hook without rt_lock -> reads freed heap. Freed slot reclaimable from M_NETGRAPH -> partial control of ->hook ptr -> UAF type confusion. Unpriv local user can attempt (attach grants socket, caps check only sets flag). Barrier: triggering concurrent hook disconnect needs netgraph priv/BT hw removal/malicious peer. Fix: hold rt_lock across :714.