DragonFlyBSD Kernel Audit
DF-0008 / manifest.json
← back to finding ↓ download raw
{
  "finding_id": "DF-0008",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "e21e00cb2530e4f0bbd009c92e477c0ac86c555c6e9a154a45c533a5f8042148",
  "tested_at": "2026-07-02T01:09:00Z",
  "verdict": "NOT_REPRODUCED_REAL_AND_REACHABLE",
  "impact": "none",
  "confidence": "likely",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh",
    "expected": "as root: UPDATE-mounts /boot (ufs) with MNT_EXPUBLIC|MNT_EXPORTED + ex_indexfile, reaching the buggy :2261-vput -> :2269-VOP_PATHCONF(rvp) path. Reports 'vfs_setpublicfs UAF path reached ok=N'. On a DEBUG/INVARIANTS kernel this panics in VOP_PATHCONF; on this non-DEBUG GENERIC kernel it races silently (no panic)."
  },
  "kernel_refs": [
    "sys/kern/vfs_subr.c:2255",
    "sys/kern/vfs_subr.c:2259",
    "sys/kern/vfs_subr.c:2261",
    "sys/kern/vfs_subr.c:2269",
    "sys/kern/vfs_subr.c:2552",
    "sys/kern/vfs_lock.c:703",
    "sys/vfs/ufs/ufs_vfsops.c:58",
    "sys/vfs/ufs/ffs_vfsops.c:1228",
    "sys/kern/vfs_default.c:1562",
    "sys/vfs/ufs/ffs_vfsops.c:270",
    "sys/kern/vfs_subr.c:2201",
    "sys/kern/vfs_syscalls.c:164"
  ],
  "artifacts": [
    {"path": "expub.c",        "type": "trigger-source",  "desc": "root-only UPDATE-mount trigger of vfs_setpublicfs :2261->:2269 UAF path (rewritten: correct struct ufs_args + MNT_UPDATE)"},
    {"path": "VERDICT.md",     "type": "verdict",         "desc": "full narrative: real+reachable, line-by-line proof, why no panic on non-DEBUG kernel"},
    {"path": "README.md",      "type": "readme",          "desc": "human build/run/expected summary"},
    {"path": "build.sh",       "type": "build-script",    "desc": "cc -o expub expub.c"},
    {"path": "run.sh",         "type": "run-script",      "desc": "as root: ./expub /boot N (UPDATE mount w/ MNT_EXPUBLIC+indexfile)"},
    {"path": "build.log",      "type": "build-log",       "desc": "final successful build, full output"},
    {"path": "run.log",        "type": "run-log",         "desc": "decisive run (/boot 16): path reached 16/16, no panic, guest up"},
    {"path": "run.stress.log", "type": "run-log",         "desc": "stress run (/boot 512) with vnode churn: path reached 512/512, no panic"},
    {"path": "dmesg.txt",      "type": "dmesg",           "desc": "post-trigger dmesg: no vnode/lock/witness/panic warnings"},
    {"path": "env.txt",        "type": "environment",     "desc": "uname, cc version, kernel config (non-DEBUG, no INVARIANTS/WITNESS), /boot=ufs"},
    {"path": "fix.diff",       "type": "suggested-fix",   "desc": "keep rvp locked across vn_get_namelen; vput exactly once per path (git apply --check passes)"},
    {"path": "manifest.json",  "type": "manifest",        "desc": "this catalog"}
  ]
}