DF-0035 / run.sh
#!/bin/sh # DF-0035 run script. # # Two paths: # ./run.sh unprivileged - run as any user; 2M poll of kern.msgbuf. # Expected on master DEV: NO OOB observed (the # bug is unreachable in normal operation; see # VERDICT.md). Exit 2 = "no leak" (expected). # ./run.sh decisive - run as ROOT only; performs the kvm_write-forced # OOB trigger that PANICS the kernel in # std_copyout. DECISIVE proof that the buggy # branch-3 length math at subr_prf.c:1183 produces # an out-of-bounds read. Exit 0 = panic achieved. # (Use only on a disposable guest: the kernel # crashes and must be reset.) set -e cd "$(dirname "$0")" MODE="${1:-unprivileged}" case "$MODE" in unprivileged) echo "[+] unprivileged kern.msgbuf poll (bug is unreachable here; expected no-hit)" ./msgbuf_diag 2000000 1048576 ;; decisive) if [ "$(id -u)" -ne 0 ]; then echo "decisive mode requires root (writes msg_bufr/msg_bufx via kvm)" >&2 exit 1 fi echo "[+] DECISIVE OOB trigger (root): kvm_write bad geometry + sysctl read" echo "[+] WARNING: this PANICS the kernel. Use only on a disposable guest." ./msgbuf_oob_decisive ;; *) echo "usage: $0 [unprivileged|decisive]" >&2 exit 1 ;; esac |