DragonFlyBSD Kernel Audit
DF-0009 / manifest.json
← back to finding ↓ download raw
{
  "finding_id": "DF-0009",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "f9d3f338b727fae77096afea0ed3c6dcb144b644bab72a8aceb385ca3419ca58",
  "tested_at": "2026-07-02T00:56:00Z",
  "verdict": "REPRODUCED",
  "impact": "leak",
  "confidence": "certain",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh",
    "expected": "as unprivileged maxx: dumps 11 fs types each with non-NULL kernel .data vfc_vfsops (e.g. devfs=0xffffffff81111ae0) and vfc_next; all match nm /boot/kernel/kernel; on a fixed kernel the pointers would be 0x0 and the PoC exits 2"
  },
  "kernel_refs": [
    "sys/kern/vfs_subr.c:1845",
    "sys/kern/vfs_subr.c:1850",
    "sys/kern/vfs_subr.c:1863",
    "sys/sys/mount.h:478",
    "sys/sys/mount.h:483",
    "sys/sys/mount.h:487"
  ],
  "artifacts": [
    {"path": "leak_vfsconf.c", "type": "trigger-source", "desc": "unprivileged sysctl reader of VFS_CONF; prints vfc_vfsops/vfc_next per fs type"},
    {"path": "VERDICT.md",     "type": "verdict",        "desc": "full narrative: reproduced, line-by-line trace, evidence table vs nm"},
    {"path": "README.md",      "type": "readme",         "desc": "human build/run/expected summary"},
    {"path": "build.sh",       "type": "build-script",   "desc": "cc -o leak_vfsconf leak_vfsconf.c"},
    {"path": "run.sh",         "type": "run-script",     "desc": "./leak_vfsconf as unprivileged user"},
    {"path": "build.log",      "type": "build-log",      "desc": "final successful build, full output"},
    {"path": "run.log",        "type": "run-log",        "desc": "decisive run 1, full output incl 11 leaked .data pointers"},
    {"path": "run.2.log",      "type": "run-log",        "desc": "stability run 2 (byte-identical)"},
    {"path": "run.3.log",      "type": "run-log",        "desc": "stability run 3 (byte-identical)"},
    {"path": "leak_sample.txt","type": "leak-sample",    "desc": "nm cross-ref: each leaked vfc_vfsops matches an exact kernel symbol; kernel text/data bounds"},
    {"path": "env.txt",        "type": "environment",    "desc": "uname, cc version, nm symbol table"},
    {"path": "fix.diff",       "type": "suggested-fix",  "desc": "redact vfc_vfsops/vfc_next in VFS_CONF and ovfs_conf paths (git apply --check passes)"},
    {"path": "manifest.json",  "type": "manifest",       "desc": "this catalog"}
  ]
}