DF-0053 / run.log
[*] MIB for jail.list: 258 257
[*] kernel reports jail.list length = 1262 bytes
[*] sysctl read returned 1262 bytes
[*] 1 jail lines -> jlssize = 1024 bytes (kmalloc(1024+1) -> bucket 1152)
[*] last 128 bytes (offset 1134..1262):
046e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
047e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
048e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
049e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04be 00 00 00 00 00 00 00 00 00 00 00 20 20 31 30 2e ........... 10.
04ce 30 2e 30 2e 34 20 31 30 2e 30 2e 30 2e 33 20 31 0.0.4 10.0.0.3 1
04de 30 2e 30 2e 30 2e 32 20 31 30 2e 30 2e 30 2e 31 0.0.0.2 10.0.0.1
[+] BUG DF-0053 CONFIRMED:
kernel returned 1262 bytes
jlssize (count*1024) = 1024
kmalloc bucket (alloc) = 1152
OOB READ vs jlssize = 238 bytes
OOB READ vs actual alloc end = 110 bytes (info leak of adjacent slab slack)
OOB WRITE (IPs written past alloc end during IP loop) also occurred in kernel heap
non-zero bytes in OOB-vs-alloc region: 37 (our written IPs + any stale slab data)