DF-0035 / manifest.json
{ "finding_id": "DF-0035", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "8090e937421ab8262bd9ba291b79b88ddd4d5bd34ce79b472106245d8a3d98e2", "tested_at": "2026-07-01T20:10:00Z", "verdict": "REPRODUCED_WITH_CAVEATS", "impact": "panic+leak (root-only window; unprivileged path unreachable)", "confidence": "certain", "reproduce": { "build": "./build.sh", "run_unprivileged": "./run.sh unprivileged", "run_decisive_root_only_panics_guest": "./run.sh decisive", "expected_unprivileged": "1.5M+ sysctl reads return no over-long / no non-text reads (RC=2). Bug is unreachable here.", "expected_decisive": "kernel panic in std_copyout (trap 0xc) -- DECISIVE proof of the OOB read. Guest must be reset afterwards." }, "kernel_refs": [ "sys/kern/subr_prf.c:1177", "sys/kern/subr_prf.c:1181", "sys/kern/subr_prf.c:1183", "sys/kern/subr_prf.c:1056", "sys/kern/subr_prf.c:1067", "sys/kern/subr_prf.c:1213", "sys/kern/subr_prf.c:1214", "sys/kern/kern_sysctl.c:1197", "sys/kern/kern_sysctl.c:1321", "sys/kern/kern_sysctl.c:1337" ], "artifacts": [ {"path": "msgbuf_oob.c", "type": "trigger-source", "desc": "original unprivileged kern.msgbuf poller (harmless)"}, {"path": "msgbuf_diag.c", "type": "trigger-source", "desc": "sharper unprivileged diagnostic with detailed reporting"}, {"path": "dump_msgbuf.c", "type": "diagnostic", "desc": "kvm(3)-based reader of msg_bufx/msg_bufr + branch-3 decision"}, {"path": "msgbuf_oob_decisive.c", "type": "exploit-trigger", "desc": "DECISIVE root-only trigger: kvm_write bad geometry + sysctl read -> panic"}, {"path": "msgbuf_trigger.c", "type": "trigger-source", "desc": "earlier timing-based natural-path trigger (superseded by decisive)"}, {"path": "msgbuf_brute.c", "type": "trigger-source", "desc": "root-only brute-forcer: 1-byte-step console writes + tight read loop"}, {"path": "run_brute.sh", "type": "repro-script", "desc": "wrapper: arrange stale msg_bufr via msgbuf_clear, then brute-force"}, {"path": "build.sh", "type": "build-script", "desc": "builds all five binaries"}, {"path": "run.sh", "type": "run-script", "desc": "run.sh unprivileged | run.sh decisive"}, {"path": "panic.txt", "type": "panic-signature", "desc": "tight panic signature from both decisive runs (proof)"}, {"path": "leak_sample.txt", "type": "leak-sample", "desc": "explanation of the panic signature and what it proves"}, {"path": "run.unprivileged.log", "type": "run-log", "desc": "1.5M-read unprivileged poll on fresh boot: 0 hits"}, {"path": "env.txt", "type": "environment", "desc": "uname, cc version, sysctls"}, {"path": "fix.diff", "type": "suggested-fix", "desc": "git-apply-able: n - rindex_modulo -> n in branch 3"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative: reproduced (with caveats) + reachability analysis"}, {"path": "README.md", "type": "readme", "desc": "human-facing readme with reproduce instructions"}, {"path": "manifest.json", "type": "manifest", "desc": "this catalog"} ] } |