DF-0008 / manifest.json
{ "finding_id": "DF-0008", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "e21e00cb2530e4f0bbd009c92e477c0ac86c555c6e9a154a45c533a5f8042148", "tested_at": "2026-07-02T01:09:00Z", "verdict": "NOT_REPRODUCED_REAL_AND_REACHABLE", "impact": "none", "confidence": "likely", "reproduce": { "build": "./build.sh", "run": "./run.sh", "expected": "as root: UPDATE-mounts /boot (ufs) with MNT_EXPUBLIC|MNT_EXPORTED + ex_indexfile, reaching the buggy :2261-vput -> :2269-VOP_PATHCONF(rvp) path. Reports 'vfs_setpublicfs UAF path reached ok=N'. On a DEBUG/INVARIANTS kernel this panics in VOP_PATHCONF; on this non-DEBUG GENERIC kernel it races silently (no panic)." }, "kernel_refs": [ "sys/kern/vfs_subr.c:2255", "sys/kern/vfs_subr.c:2259", "sys/kern/vfs_subr.c:2261", "sys/kern/vfs_subr.c:2269", "sys/kern/vfs_subr.c:2552", "sys/kern/vfs_lock.c:703", "sys/vfs/ufs/ufs_vfsops.c:58", "sys/vfs/ufs/ffs_vfsops.c:1228", "sys/kern/vfs_default.c:1562", "sys/vfs/ufs/ffs_vfsops.c:270", "sys/kern/vfs_subr.c:2201", "sys/kern/vfs_syscalls.c:164" ], "artifacts": [ {"path": "expub.c", "type": "trigger-source", "desc": "root-only UPDATE-mount trigger of vfs_setpublicfs :2261->:2269 UAF path (rewritten: correct struct ufs_args + MNT_UPDATE)"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative: real+reachable, line-by-line proof, why no panic on non-DEBUG kernel"}, {"path": "README.md", "type": "readme", "desc": "human build/run/expected summary"}, {"path": "build.sh", "type": "build-script", "desc": "cc -o expub expub.c"}, {"path": "run.sh", "type": "run-script", "desc": "as root: ./expub /boot N (UPDATE mount w/ MNT_EXPUBLIC+indexfile)"}, {"path": "build.log", "type": "build-log", "desc": "final successful build, full output"}, {"path": "run.log", "type": "run-log", "desc": "decisive run (/boot 16): path reached 16/16, no panic, guest up"}, {"path": "run.stress.log", "type": "run-log", "desc": "stress run (/boot 512) with vnode churn: path reached 512/512, no panic"}, {"path": "dmesg.txt", "type": "dmesg", "desc": "post-trigger dmesg: no vnode/lock/witness/panic warnings"}, {"path": "env.txt", "type": "environment", "desc": "uname, cc version, kernel config (non-DEBUG, no INVARIANTS/WITNESS), /boot=ufs"}, {"path": "fix.diff", "type": "suggested-fix", "desc": "keep rvp locked across vn_get_namelen; vput exactly once per path (git apply --check passes)"}, {"path": "manifest.json", "type": "manifest", "desc": "this catalog"} ] } |