DragonFlyBSD Kernel Audit
← dashboard
DF-0525

ng_fec_tick iterates port list with no list lock: UAF race vs addport/delport

Summary

ng_fec_tick(:579-612 from callout:535/616): TAILQ_FOREACH(p,&b->ng_fec_ports,fec_list) with NO lock on port list. Comment(:575-578) notes parent serializer not held. Concurrent NGM_FEC_DEL_IFACE TAILQ_REMOVE(:464)+kfree(p)(:465) under ifnet_lock only -> tick derefs freed list node -> UAF. Distinct from DF-0524(stored ifp UAF): this is list-node UAF not ifp UAF. Fix: acquire consistent lock across tick iteration AND addport/delport mutation.