DragonFlyBSD Kernel Audit
DF-0003 / panic.txt
← back to finding ↓ download raw
DF-0003 panic signature -- captured from dfbsd-qemu/boot.log (serial console)
after `kldload poc_negunit.ko` (module whose only action is
device_add_child(root_bus, "df3neg", -2)).

The crash is the exact OOB-write sink cited in the finding:
  sys/kern/subr_bus.c:1144   dc->devices[dev->unit] = dev;

Confirmed by addr2line -e /boot/kernel/kernel 0xffffffff8068a946:
  /usr/src/sys/kern/subr_bus.c:1144

Control (unit=0) loaded cleanly and printed:
  DF0003-CTRL: unit=0 -> OK (child=0xfffff80065c20ea0)  [valid unit: no crash]

Trigger (unit=-2) panicked immediately:
---
login: Fatal user address access from kernel mode ... (some boots)
 / OR /
Fatal trap 12: page fault while in kernel mode
cpuid = 0; lapic id = 0
fault virtual address	= 0xfffffffffffffff0
fault code		= supervisor write data, page not present
instruction pointer	= 0x8:0xffffffff8068a946
stack pointer	        = 0x10:0xfffff800ab5ab738
frame pointer	        = 0x10:0xfffff800ab5ab778
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 990
current thread          = pri 6
kernel: type 12 trap, code=2

CPU0 stopping CPUs: 0x00000002
 stopped
Stopped at      devclass_add_device+0xf6:       movq    %r14,(%rdx,%rax,1)
db>

FAULT-ADDRESS ARITHMETIC (proves negative-index write):
  fault VA  = 0xfffffffffffffff0 = (device_t *)NULL + (-2) = 0 + (-2)*8
  dev->unit = -2 (returned successfully by devclass_alloc_unit)
  dc->devices == NULL for the freshly-created "df3neg" devclass
  => dc->devices[dev->unit] = dev  writes 8 bytes (the dev pointer) at
     address 0 + (-2)*sizeof(device_t) = 0xfffffffffffffff0  (unmapped) ->
     supervisor WRITE page fault inside devclass_add_device at subr_bus.c:1144.

SYMBOL PROOF:
  nm /boot/kernel/kernel | grep devclass_add_device
  ffffffff8068a850 t devclass_add_device      (base)
  fault IP 0xffffffff8068a946 = base + 0xf6    (offset matches panic string)
  addr2line 0xffffffff8068a946 -> sys/kern/subr_bus.c:1144