# DF-0035 — Verification evidence ## Decisive kernel panic signature (from `dfbsd-qemu/boot.log`) The kvm_write-forced geometry (`msg_bufx = msg_size`, `msg_bufr = msg_size/2 + 100000`, i.e. xindex_modulo==0 and rindex_modulo>msg_size/2) drives the buggy branch-3 length math at `sys/kern/subr_prf.c:1183` (`n - rindex_modulo` underflows to ~4.0 billion as u_int) directly into a kernel page fault inside `std_copyout`, because the resulting copyout reads past `msg_ptr+msg_size` into unmapped adjacent kernel memory. Reproduced twice with identical signatures: ``` panic: assertion "obj != NULL" failed in vm_object_hold_shared at /usr/src/sys/vm/vm_object.c:330 cpuid = 1 Trace: vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf vm_fault() at vm_fault+0x408 0xffffffff8099d7c8 trap_pfault() at trap_pfault+0x9a 0xffffffff80bd49da trap() at trap+0x17c 0xffffffff80bd52dc calltrap() at calltrap+0x9 0xffffffff80b9890a --- trap 000000000000000c, rip = ffffffff80bca5ba, rsp = ..., rbp = ... --- std_copyout() at std_copyout+0x15a 0xffffffff80bca5ba Debugger("panic") Stopped at Debugger+0x7c: movb $0,0xbd77f9(%rip) db> ``` `rip=ffffffff80bca5ba` is the `copyout` (arch-specifically `std_copyout`) which `sysctl_old_user` calls from inside `sysctl_handle_opaque`. The page fault (trap 0xc) is the read end of the copyout walking past msg_ptr's mapped region into adjacent (here unmapped) kernel address space. Had the adjacent memory been mapped, the same OOB read would have leaked kernel heap residue to userspace without crashing.