DragonFlyBSD Kernel Audit
DF-0035 / manifest.json
← back to finding ↓ download raw
{
  "finding_id": "DF-0035",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "8090e937421ab8262bd9ba291b79b88ddd4d5bd34ce79b472106245d8a3d98e2",
  "tested_at": "2026-07-01T20:10:00Z",
  "verdict": "REPRODUCED_WITH_CAVEATS",
  "impact": "panic+leak (root-only window; unprivileged path unreachable)",
  "confidence": "certain",
  "reproduce": {
    "build": "./build.sh",
    "run_unprivileged": "./run.sh unprivileged",
    "run_decisive_root_only_panics_guest": "./run.sh decisive",
    "expected_unprivileged": "1.5M+ sysctl reads return no over-long / no non-text reads (RC=2). Bug is unreachable here.",
    "expected_decisive": "kernel panic in std_copyout (trap 0xc) -- DECISIVE proof of the OOB read. Guest must be reset afterwards."
  },
  "kernel_refs": [
    "sys/kern/subr_prf.c:1177",
    "sys/kern/subr_prf.c:1181",
    "sys/kern/subr_prf.c:1183",
    "sys/kern/subr_prf.c:1056",
    "sys/kern/subr_prf.c:1067",
    "sys/kern/subr_prf.c:1213",
    "sys/kern/subr_prf.c:1214",
    "sys/kern/kern_sysctl.c:1197",
    "sys/kern/kern_sysctl.c:1321",
    "sys/kern/kern_sysctl.c:1337"
  ],
  "artifacts": [
    {"path": "msgbuf_oob.c",            "type": "trigger-source",   "desc": "original unprivileged kern.msgbuf poller (harmless)"},
    {"path": "msgbuf_diag.c",           "type": "trigger-source",   "desc": "sharper unprivileged diagnostic with detailed reporting"},
    {"path": "dump_msgbuf.c",           "type": "diagnostic",       "desc": "kvm(3)-based reader of msg_bufx/msg_bufr + branch-3 decision"},
    {"path": "msgbuf_oob_decisive.c",   "type": "exploit-trigger",  "desc": "DECISIVE root-only trigger: kvm_write bad geometry + sysctl read -> panic"},
    {"path": "msgbuf_trigger.c",        "type": "trigger-source",   "desc": "earlier timing-based natural-path trigger (superseded by decisive)"},
    {"path": "msgbuf_brute.c",          "type": "trigger-source",   "desc": "root-only brute-forcer: 1-byte-step console writes + tight read loop"},
    {"path": "run_brute.sh",            "type": "repro-script",     "desc": "wrapper: arrange stale msg_bufr via msgbuf_clear, then brute-force"},
    {"path": "build.sh",                "type": "build-script",     "desc": "builds all five binaries"},
    {"path": "run.sh",                  "type": "run-script",       "desc": "run.sh unprivileged | run.sh decisive"},
    {"path": "panic.txt",               "type": "panic-signature",  "desc": "tight panic signature from both decisive runs (proof)"},
    {"path": "leak_sample.txt",         "type": "leak-sample",      "desc": "explanation of the panic signature and what it proves"},
    {"path": "run.unprivileged.log",    "type": "run-log",          "desc": "1.5M-read unprivileged poll on fresh boot: 0 hits"},
    {"path": "env.txt",                 "type": "environment",      "desc": "uname, cc version, sysctls"},
    {"path": "fix.diff",                "type": "suggested-fix",    "desc": "git-apply-able: n - rindex_modulo -> n in branch 3"},
    {"path": "VERDICT.md",              "type": "verdict",          "desc": "full narrative: reproduced (with caveats) + reachability analysis"},
    {"path": "README.md",               "type": "readme",           "desc": "human-facing readme with reproduce instructions"},
    {"path": "manifest.json",           "type": "manifest",         "desc": "this catalog"}
  ]
}