DragonFlyBSD Kernel Audit
DF-0035 / leak_sample.txt
← back to finding ↓ download raw
# DF-0035 — Verification evidence

## Decisive kernel panic signature (from `dfbsd-qemu/boot.log`)

The kvm_write-forced geometry (`msg_bufx = msg_size`, `msg_bufr = msg_size/2 + 100000`,
i.e. xindex_modulo==0 and rindex_modulo>msg_size/2) drives the buggy branch-3
length math at `sys/kern/subr_prf.c:1183` (`n - rindex_modulo` underflows to
~4.0 billion as u_int) directly into a kernel page fault inside `std_copyout`,
because the resulting copyout reads past `msg_ptr+msg_size` into unmapped
adjacent kernel memory. Reproduced twice with identical signatures:

```
panic: assertion "obj != NULL" failed in vm_object_hold_shared at /usr/src/sys/vm/vm_object.c:330
cpuid = 1
Trace:
vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf
vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf
vm_fault() at vm_fault+0x408 0xffffffff8099d7c8
trap_pfault() at trap_pfault+0x9a 0xffffffff80bd49da
trap() at trap+0x17c 0xffffffff80bd52dc
calltrap() at calltrap+0x9 0xffffffff80b9890a
--- trap 000000000000000c, rip = ffffffff80bca5ba, rsp = ..., rbp = ... ---
std_copyout() at std_copyout+0x15a 0xffffffff80bca5ba
Debugger("panic")
Stopped at Debugger+0x7c: movb $0,0xbd77f9(%rip)
db>
```

`rip=ffffffff80bca5ba` is the `copyout` (arch-specifically `std_copyout`)
which `sysctl_old_user` calls from inside `sysctl_handle_opaque`. The page
fault (trap 0xc) is the read end of the copyout walking past msg_ptr's
mapped region into adjacent (here unmapped) kernel address space.

Had the adjacent memory been mapped, the same OOB read would have leaked
kernel heap residue to userspace without crashing.