DragonFlyBSD Kernel Audit
DF-0035 / run.sh
← back to finding ↓ download raw
#!/bin/sh
# DF-0035 run script.
#
# Two paths:
#   ./run.sh unprivileged   - run as any user; 2M poll of kern.msgbuf.
#                             Expected on master DEV: NO OOB observed (the
#                             bug is unreachable in normal operation; see
#                             VERDICT.md).  Exit 2 = "no leak" (expected).
#   ./run.sh decisive       - run as ROOT only; performs the kvm_write-forced
#                             OOB trigger that PANICS the kernel in
#                             std_copyout.  DECISIVE proof that the buggy
#                             branch-3 length math at subr_prf.c:1183 produces
#                             an out-of-bounds read.  Exit 0 = panic achieved.
#                             (Use only on a disposable guest: the kernel
#                             crashes and must be reset.)
set -e
cd "$(dirname "$0")"
MODE="${1:-unprivileged}"
case "$MODE" in
  unprivileged)
    echo "[+] unprivileged kern.msgbuf poll (bug is unreachable here; expected no-hit)"
    ./msgbuf_diag 2000000 1048576
    ;;
  decisive)
    if [ "$(id -u)" -ne 0 ]; then
      echo "decisive mode requires root (writes msg_bufr/msg_bufx via kvm)" >&2
      exit 1
    fi
    echo "[+] DECISIVE OOB trigger (root): kvm_write bad geometry + sysctl read"
    echo "[+] WARNING: this PANICS the kernel.  Use only on a disposable guest."
    ./msgbuf_oob_decisive
    ;;
  *)
    echo "usage: $0 [unprivileged|decisive]" >&2
    exit 1
    ;;
esac