DragonFlyBSD Kernel Audit
DF-0006 / leak_sample.txt
← back to finding ↓ download raw
# DF-0006 leak sample — kernel function/heap pointers leaked via kern.ttys
# Guest: DragonFly 6.5-DEVELOPMENT v6.5.0.1712.g89e6a-DEVELOPMENT (amd64)
# Reader: uid=1001 (maxx), NOT in wheel.  Node: kern.ttys (CTLFLAG_RD, world-read)
#
# sysctl_kern_ttys (sys/kern/tty.c:2891-2921) does  t = *tp;  (whole struct),
# sanitizes ONLY t_dev, then SYSCTL_OUT(&t, sizeof(t)). struct tty is 376 bytes;
# 10 ttys -> 3760 bytes leaked. Scanned at 8-byte stride for canonical-upper-half
# kernel addresses (>= 0xffff800000000000).
#
# 102 kernel-range pointer-sized values leaked per run.  Function pointers are
# the KASLR-defeat primitive: they match `nm /boot/kernel/kernel` symbols EXACTLY.

## function pointers (struct tty intra-offset 256/264/272 = t_oproc/t_stop/t_param)
## leaked value            tty driver   nm symbol            type  match
0xffffffff80b8b800 (x8)    syscons      scstart+0x0          T     EXACT
0xffffffff806b7eb0 (x8)    generic      nottystop+0x0        T     EXACT
0xffffffff80b86930 (x8)    syscons      scparam+0x0          t     EXACT
0xffffffff80c2e9b0 (x1)    serial com   comstart+0x0         t     EXACT
0xffffffff80c2fe30 (x1)    serial com   comstop+0x0          t     EXACT
0xffffffff80c30120 (x1)    serial com   comparam+0x0         t     EXACT
0xffffffff810e1280 (x1)    (t_list)     tty_list+0x0         d     EXACT

## heap / direct-map pointers (c_data buffers, t_pgrp/t_session, t_token)
## leaked value            intra-off  nm nearest
0xfffff800abac7600 (x10)   352        (global token, identical across all 10 ttys)
0xfffff80065c84c00..       48         t_rawq.c_data (clist data buffers)
0xfffff800ab6d2800..       80         t_canq.c_data
0xfffff80066828000..       112        t_outq.c_data
0xfffff80046186370..       160        t_pgrp (pgrp slab objects)
0xfffff80065bfd098..       168        t_session (session slab objects)
0xffffffff80d86d34 (x10)   24         lwkt_token internal (db_lengths+0x16c region)

## decisive excerpt from run.log
got 3760 bytes from kern.ttys
raw blob written to ttys.bin (3760 bytes)
  blob offset    24 (word     3): 0xffffffff80d86d34
  ...
  blob offset   256 (word    32): 0xffffffff80b8b800   <- t_oproc = scstart  (.text)
  blob offset   264 (word    33): 0xffffffff806b7eb0   <- t_stop  = nottystop (.text)
  blob offset   272 (word    34): 0xffffffff80b86930   <- t_param = scparam  (.text)
  ...
total kernel-range pointer-sized values leaked: 102
RUN_EXIT=0

## interpretation
The leaked .text function-pointer values (scstart/nottystop/scparam/comstart/
comstop/comparam) EXACTLY equal their static `nm /boot/kernel/kernel` addresses,
so this build has no KASLR slide at the tty function pointers; an attacker reads
the precise kernel .text base from an unprivileged account. The 0xfffff8xxxxxxxxxx
values are live slab/direct-map addresses (clist buffers, pgrp/session objects),
revealing kernel heap layout for grooming a separate heap-corruption bug.

## variance across 3 runs (same boot)
run.log / run.2.log / run.3.log : identical "102 kernel-range pointers leaked";
function-pointer addresses byte-identical across runs (stable .text); slab
addresses byte-identical within the boot (stable slab layout).  Across a reboot
the slab addresses change but the .text addresses stay fixed (no KASLR).