#!/bin/sh
# DF-0035 build script.
#
# Three artifacts:
#   msgbuf_oob            - the original unprivileged PoC (polls kern.msgbuf
#                           looking for non-text/over-long reads; harmless)
#   msgbuf_diag           - sharper diagnostic; same idea, more reporting
#   dump_msgbuf           - kvm(3)-based dumper of msg_bufx/msg_bufr and the
#                           branch-3 decision (read-only; needs /dev/kmem)
#   msgbuf_oob_decisive   - DECISIVE OOB proof: kvm_write places the bad
#                           geometry then a sysctl read triggers the underflow
#                           (panics the kernel).  Build/run as ROOT only.
#   msgbuf_brute          - brute-force natural-path trigger (root-only; opens
#                           the stale-msg_bufr window via msgbuf_clear, then
#                           tight 1-byte steps + reads)
#
# The unprivileged tools (msgbuf_oob, msgbuf_diag) build on DragonFlyBSD with
# the base-system cc and no extra libraries.  The kvm(3) tools need -lkvm.
set -e
cd "$(dirname "$0")"
echo "[+] building msgbuf_oob (unprivileged poller)"
cc -O2 -o msgbuf_oob msgbuf_oob.c
echo "[+] building msgbuf_diag (unprivileged diagnostic)"
cc -O2 -o msgbuf_diag msgbuf_diag.c
echo "[+] building dump_msgbuf (kvm reader; needs root to read /dev/kmem)"
cc -O2 -o dump_msgbuf dump_msgbuf.c -lkvm
echo "[+] building msgbuf_brute (root-only natural-path brute-forcer)"
cc -O2 -o msgbuf_brute msgbuf_brute.c
echo "[+] building msgbuf_oob_decisive (root-only DECISIVE OOB trigger; panics kernel)"
cc -O2 -o msgbuf_oob_decisive msgbuf_oob_decisive.c -lkvm
echo "[+] build complete"
ls -l msgbuf_oob msgbuf_diag dump_msgbuf msgbuf_brute msgbuf_oob_decisive
