DragonFlyBSD Kernel Audit
DF-0053 / run.log
← back to finding ↓ download raw
[*] MIB for jail.list: 258 257
[*] kernel reports jail.list length = 1262 bytes
[*] sysctl read returned 1262 bytes
[*] 1 jail lines -> jlssize = 1024 bytes (kmalloc(1024+1) -> bucket 1152)
[*] last 128 bytes (offset 1134..1262):
    046e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    047e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    048e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    049e  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    04ae  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    04be  00 00 00 00 00 00 00 00 00 00 00 20 20 31 30 2e  ...........  10.
    04ce  30 2e 30 2e 34 20 31 30 2e 30 2e 30 2e 33 20 31  0.0.4 10.0.0.3 1
    04de  30 2e 30 2e 30 2e 32 20 31 30 2e 30 2e 30 2e 31  0.0.0.2 10.0.0.1
[+] BUG DF-0053 CONFIRMED:
    kernel returned 1262 bytes
    jlssize (count*1024)         = 1024
    kmalloc bucket (alloc)       = 1152
    OOB READ vs jlssize          = 238 bytes
    OOB READ vs actual alloc end = 110 bytes (info leak of adjacent slab slack)
    OOB WRITE (IPs written past alloc end during IP loop) also occurred in kernel heap
    non-zero bytes in OOB-vs-alloc region: 37 (our written IPs + any stale slab data)