DF-0055 / run.3.log
============================================================
DF-0055 — RUN 3 (second confirmation, fresh vm.sh reset).
Identical to RUN 2 (cpuid = 0 instead of 1). 3/3 deterministic panic.
============================================================
$ ssh -F ... dfbsd '/root/udev_uaf'
[*] DF-0055: udev_event_externalize shared-dict UAF trigger
[*] forking two /dev/udev readers (two softcs/markers)...
[*] generating device attach/detach events (tap create/destroy)...
[*] each event is externalized by reader #1 (frees shared dict),
then by reader #2 (UAF: prop_object_retain on freed dict).
SSH_RC=124 (timeout; guest panicked)
--- serial console (dfbsd-qemu/boot.log) ---
panic: assertion "ocnt != 0" failed in prop_object_release at /usr/src/sys/libprop/prop_object.c:1085
cpuid = 0
Trace beginning at frame 0xfffff800aba354c8
prop_object_release() at prop_object_release+0x277 0xffffffff809e1037
prop_object_release() at prop_object_release+0x277 0xffffffff809e1037
udev_dev_read() at udev_dev_read+0x162 0xffffffff806636f2
dev_dread() at dev_dread+0xa3 0xffffffff8062c383
devfs_fo_read() at devfs_fo_read+0x100 0xffffffff80921930
kern_preadv() at kern_preadv()+0x1e5 0xffffffff806a6aa5
Debugger("panic")
CPU0 stopping CPUs: 0x00000002
stopped
Stopped at Debugger+0x7c: movb $0,0xbd77f9(%rip)
db>
vm.sh status => down