DF-0044 / manifest.json
{ "finding_id": "DF-0044", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "936eb1db7b5cc8a3390a617cf0c1e3f98c047d4e04aea5208cdebf5e436f4a5d", "tested_at": "2026-07-01T21:08:00Z", "verdict": "NOT REPRODUCED (race too tight) -- code-level bug CONFIRMED", "impact": "none (on this kernel); theoretical panic/info-leak if the race is won", "confidence": "certain (code-level); likely (race too tight to demonstrate)", "reproduce": { "build": "./build.sh", "run": "./run.sh 60", "expected": "On a non-INVARIANTS kernel: process exits cleanly with 'still alive -- race not won this run' (the race is real but the deref at vfs_cache.c:5224 finishes in nanoseconds while dounmount's kfree is gated by an mnt_refs drain that takes milliseconds). On an INVARIANTS kernel or with successful heap grooming: kernel panic in _cache_hold on a bogus ncp, or a slab-use-after-free signature." }, "kernel_refs": [ "sys/kern/vfs_mount.c:1235", "sys/kern/vfs_mount.c:1240", "sys/kern/vfs_mount.c:1245", "sys/kern/vfs_mount.c:1247", "sys/kern/vfs_mount.c:413", "sys/kern/vfs_mount.c:418", "sys/kern/vfs_mount.c:420", "sys/kern/vfs_mount.c:421", "sys/kern/vfs_mount.c:756", "sys/kern/vfs_mount.c:784", "sys/kern/vfs_mount.c:393", "sys/kern/vfs_mount.c:399", "sys/kern/vfs_mount.c:401", "sys/kern/vfs_mount.c:403", "sys/kern/vfs_cache.c:5213", "sys/kern/vfs_cache.c:5214", "sys/kern/vfs_cache.c:5224", "sys/kern/vfs_cache.c:5227", "sys/kern/vfs_cache.c:5228", "sys/kern/vfs_syscalls.c:1040", "sys/kern/vfs_syscalls.c:1066", "sys/kern/vfs_syscalls.c:1069", "sys/kern/vfs_syscalls.c:1108", "sys/kern/vfs_syscalls.c:1110", "sys/kern/vfs_syscalls.c:1117", "sys/kern/vfs_syscalls.c:931", "sys/kern/vfs_syscalls.c:946", "sys/kern/vfs_syscalls.c:988", "sys/kern/vfs_nlookup.c:1056", "sys/vfs/procfs/procfs_map.c:181" ], "artifacts": [ {"path": "mount_uaf.c", "type": "trigger-source", "desc": "unprivileged PoC: cycler threads mount+unmount a tmpfs the binary sits inside, while reader threads read /proc/self/map (driving vn_fullpath guess=1 -> cache_fullpath -> mount_get_by_nc -> deref of new_mp->mnt_ncmounton)"}, {"path": "mount_uaf_root.c", "type": "trigger-source", "desc": "root-only variant using MNT_FORCE for a faster free-side cycle (defeated by allproc_scan SIGKILL of the test process itself)"}, {"path": "build.sh", "type": "build-script", "desc": "cc -pthread -O2 -o mount_uaf mount_uaf.c (and the root variant)"}, {"path": "run.sh", "type": "run-script", "desc": "sets up the cycled mount, hosts the binary inside, runs the unprivileged variant"}, {"path": "build.log", "type": "build-log", "desc": "final successful build of both variants on the guest"}, {"path": "run.log", "type": "run-log", "desc": "decisive 60s unprivileged run: 288137 deref iters, 2 successful free cycles, no panic, guest stayed up"}, {"path": "panic.txt", "type": "panic-signature", "desc": "grep -iE 'fatal trap|panic:|Stopped at|db> ' dfbsd-qemu/boot.log -> EMPTY. Includes the kernel's own race-detection messages as evidence the race was exercised."}, {"path": "env.txt", "type": "environment", "desc": "uname, cc version, vfs.usermount, kernel config (X86_64_GENERIC, non-INVARIANTS)"}, {"path": "fix.diff", "type": "suggested-fix", "desc": "git-apply-able unified diff: add mount_hold(mp) in mount_get_by_nc (matching vfs_getvfs) + matching mount_drop in the cache_fullpath caller"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative: code-level proof, why the race is too tight on this kernel, classification"}, {"path": "README.md", "type": "readme", "desc": "PoC overview, build/run instructions, expected output"}, {"path": "manifest.json", "type": "manifest", "desc": "this catalog"} ] } |