DragonFlyBSD Kernel Audit
← dashboard
DF-0547

Ring cleanup trusts userspace-writable buf_idx: cross-adapter double-free / buffer aliasing

Summary

netmap_mem_rings_delete(:995-1016): frees each slot via netmap_free_buf(na->nm_mem, ring->slot[i].buf_idx)(:1011). ring is shared-memory mmapd to userspace. slot[i].buf_idx uint32 userspace can overwrite at will(netmap.h:130 NS_BUF_CHANGED). netmap_free_buf(:413-422) only range-checks [2,objtotal) does NOT verify index allocated to THIS ring. Malicious user rewrites buf_idx to: (a) point at buffers owned by another adapter sharing global nm_mem -> premature free -> aliasing when reallocated to different ring -> cross-process shared-memory corruption; (b) all point at one valid index -> inflate objfree desync from bitmap. No kernel per-ring ownership record. Fix: maintain kernel-private array of buffer indices per kring.