DragonFlyBSD Kernel Audit
← dashboard
DF-0548

bitmap[0]=~3 marks non-existent objects free when pool has <32 objects

Summary

netmap_mem_finalize_all(:677-678): pools[BUF_POOL].bitmap[0]=~3=0xFFFFFFFC sets ALL bits 2..31 free unconditionally. When objtotal<32 (legal for VALE private allocators e.g. 16 for small ports) bits [objtotal,32) correspond to non-existent objects marked free. Breaks invariant objfree==popcount(bitmap). Amplifies F2 shared-mem trust: shared-mem-supplied freed index recomputed from bitmap indexes lut OOB. Fix: bitmap[0]=(objtotal>=32)?~3u:((~3u)&((1u<<objtotal)-1)).