{
  "finding_id": "DF-0044",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "936eb1db7b5cc8a3390a617cf0c1e3f98c047d4e04aea5208cdebf5e436f4a5d",
  "tested_at": "2026-07-01T21:08:00Z",
  "verdict": "NOT REPRODUCED (race too tight) -- code-level bug CONFIRMED",
  "impact": "none (on this kernel); theoretical panic/info-leak if the race is won",
  "confidence": "certain (code-level); likely (race too tight to demonstrate)",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh 60",
    "expected": "On a non-INVARIANTS kernel: process exits cleanly with 'still alive -- race not won this run' (the race is real but the deref at vfs_cache.c:5224 finishes in nanoseconds while dounmount's kfree is gated by an mnt_refs drain that takes milliseconds). On an INVARIANTS kernel or with successful heap grooming: kernel panic in _cache_hold on a bogus ncp, or a slab-use-after-free signature."
  },
  "kernel_refs": [
    "sys/kern/vfs_mount.c:1235",
    "sys/kern/vfs_mount.c:1240",
    "sys/kern/vfs_mount.c:1245",
    "sys/kern/vfs_mount.c:1247",
    "sys/kern/vfs_mount.c:413",
    "sys/kern/vfs_mount.c:418",
    "sys/kern/vfs_mount.c:420",
    "sys/kern/vfs_mount.c:421",
    "sys/kern/vfs_mount.c:756",
    "sys/kern/vfs_mount.c:784",
    "sys/kern/vfs_mount.c:393",
    "sys/kern/vfs_mount.c:399",
    "sys/kern/vfs_mount.c:401",
    "sys/kern/vfs_mount.c:403",
    "sys/kern/vfs_cache.c:5213",
    "sys/kern/vfs_cache.c:5214",
    "sys/kern/vfs_cache.c:5224",
    "sys/kern/vfs_cache.c:5227",
    "sys/kern/vfs_cache.c:5228",
    "sys/kern/vfs_syscalls.c:1040",
    "sys/kern/vfs_syscalls.c:1066",
    "sys/kern/vfs_syscalls.c:1069",
    "sys/kern/vfs_syscalls.c:1108",
    "sys/kern/vfs_syscalls.c:1110",
    "sys/kern/vfs_syscalls.c:1117",
    "sys/kern/vfs_syscalls.c:931",
    "sys/kern/vfs_syscalls.c:946",
    "sys/kern/vfs_syscalls.c:988",
    "sys/kern/vfs_nlookup.c:1056",
    "sys/vfs/procfs/procfs_map.c:181"
  ],
  "artifacts": [
    {"path": "mount_uaf.c",       "type": "trigger-source",  "desc": "unprivileged PoC: cycler threads mount+unmount a tmpfs the binary sits inside, while reader threads read /proc/self/map (driving vn_fullpath guess=1 -> cache_fullpath -> mount_get_by_nc -> deref of new_mp->mnt_ncmounton)"},
    {"path": "mount_uaf_root.c",  "type": "trigger-source",  "desc": "root-only variant using MNT_FORCE for a faster free-side cycle (defeated by allproc_scan SIGKILL of the test process itself)"},
    {"path": "build.sh",          "type": "build-script",    "desc": "cc -pthread -O2 -o mount_uaf mount_uaf.c (and the root variant)"},
    {"path": "run.sh",            "type": "run-script",      "desc": "sets up the cycled mount, hosts the binary inside, runs the unprivileged variant"},
    {"path": "build.log",         "type": "build-log",       "desc": "final successful build of both variants on the guest"},
    {"path": "run.log",           "type": "run-log",         "desc": "decisive 60s unprivileged run: 288137 deref iters, 2 successful free cycles, no panic, guest stayed up"},
    {"path": "panic.txt",         "type": "panic-signature", "desc": "grep -iE 'fatal trap|panic:|Stopped at|db> ' dfbsd-qemu/boot.log -> EMPTY. Includes the kernel's own race-detection messages as evidence the race was exercised."},
    {"path": "env.txt",           "type": "environment",     "desc": "uname, cc version, vfs.usermount, kernel config (X86_64_GENERIC, non-INVARIANTS)"},
    {"path": "fix.diff",          "type": "suggested-fix",   "desc": "git-apply-able unified diff: add mount_hold(mp) in mount_get_by_nc (matching vfs_getvfs) + matching mount_drop in the cache_fullpath caller"},
    {"path": "VERDICT.md",        "type": "verdict",         "desc": "full narrative: code-level proof, why the race is too tight on this kernel, classification"},
    {"path": "README.md",         "type": "readme",          "desc": "PoC overview, build/run instructions, expected output"},
    {"path": "manifest.json",     "type": "manifest",        "desc": "this catalog"}
  ]
}
