# DF-0009 — PoC

`leak_vfsconf.c` — unprivileged leak of kernel `.data` pointers via the
`VFS_CONF` (`vfs.generic`) sysctl.

## Verdict

**REPRODUCED** on DragonFly master DEV (`v6.5.0.1712.g89e6a-DEVELOPMENT`,
2026-06-29). As the unprivileged `maxx` user (uid 1001, not in wheel), the PoC
dumps all 11 filesystem-type `struct vfsconf` records. Each leaks two kernel
`.data` pointers — `vfc_vfsops` (the per-filesystem ops vector) and `vfc_next`
(the `vfsconf` list link) — 11 + 10 raw kernel addresses total. Every
`vfc_vfsops` value matches an **exact symbol** in `nm /boot/kernel/kernel`
(e.g. `devfs_vfsops=0xffffffff81111ae0`, `hammer_vfsops=0xffffffff81112000`,
`tmpfs_vfsops=0xffffffff81117200`). Byte-identical across 3 runs → deterministic,
reliable KASLR-defeat. See `VERDICT.md` for the full line-by-line trace and the
evidence table.

## The issue

`vfs_sysctl()`'s `VFS_CONF` handler (`sys/kern/vfs_subr.c:1845`) copies the
whole `struct vfsconf` to userspace:

```c
return (SYSCTL_OUT(req, vfsp, sizeof *vfsp));   /* :1845 whole struct */
```

`struct vfsconf` (`sys/sys/mount.h:477-484`) embeds `struct vfsops *vfc_vfsops`
(kernel `.data` ops vector) and `STAILQ_ENTRY(vfsconf) vfc_next` (kernel `.data`
list pointer). The `vfs.generic` node is `CTLFLAG_RD` with no privilege gate
(`vfs_subr.c:1850`), and sysctl reads are not privilege-gated, so any
unprivileged local user can dump these addresses — a reliable KASLR-bypass
primitive. The legacy `ovfsconf` path (`sysctl_ovfs_conf_iter`, `:1863`) copies
`vfc_vfsops` verbatim too.

## Build

```
./build.sh        # cc -o leak_vfsconf leak_vfsconf.c
```

## Run (as an UNPRIVILEGED user)

```
./run.sh          # ./leak_vfsconf
```

## Expected output (bug present)

```
sizeof(struct vfsconf) = 48
type 1  hammer      vfc_vfsops=0xffffffff81112000  vfc_next=0xffffffff8110fa40
type 2  mfs         vfc_vfsops=0xffffffff8110fa80  vfc_next=0xffffffff810ebb40
...
type 11 tmpfs       vfc_vfsops=0xffffffff81117200  vfc_next=0x0

filesystem types dumped: 11
kernel .text pointers leaked (vfc_vfsops): 11
kernel .data pointers leaked (vfc_next)  : 10
result: LEAK CONFIRMED (KASLR-defeat primitive)
```

On a fixed kernel the printed `vfc_vfsops`/`vfc_next` would be `0x0` and the
PoC exits 2 (`no kernel pointers observed`).

## Impact

Information disclosure only (kernel `.data` addresses, not memory contents).
Standalone impact is Low, but it is a prerequisite primitive for exploiting any
future local kernel memory-corruption bug (KASLR defeat / gadget relocation).
Reachable by any unprivileged local user on a default kernel; no config.
