DragonFlyBSD Kernel Audit
DF-0053 / leak_sample.txt
← back to finding ↓ download raw
DF-0053 OOB leak sample (3 runs, byte-identical because adjacent slab was zeroed
by M_ZERO and the only non-zero OOB bytes are the IPs the kernel wrote past the
buffer end during the IP loop).

OOB-vs-alloc region: bytes [1152..1262] of the returned buffer (110 bytes).
Of those, 37 are non-zero -- all are the IPs we wrote (" 10.0.0.4 10.0.0.3 ...").

Tail 128 bytes (offset 1134..1262), identical across runs 1/2/3:
    046e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    047e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    048e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    049e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    04ae  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    04be  00 00 00 00 00 00 00 00 00 00 00 20 20 31 30 2e  ...........  10.
    04ce  30 2e 30 2e 34 20 31 30 2e 30 2e 30 2e 33 20 31  0.0.4 10.0.0.3 1
    04de  30 2e 30 2e 30 2e 32 20 31 30 2e 30 2e 30 2e 31  0.0.0.2 10.0.0.1

Note on variance: this run does NOT show stale kernel pointer residue because
the adjacent 1152-byte slab chunk was freshly allocated and zeroed (M_ZERO).
A meaningful pointer leak would require heap grooming (spraying the 1152-byte
bucket with objects containing function/data pointers before triggering the
sysctl) -- the OOB read LENGTH (110 bytes) is proven regardless.