DragonFlyBSD Kernel Audit
DF-0055 / run.log
← back to finding ↓ download raw
============================================================
DF-0055 — RUN 1 (decisive). Guest up; root shell over ssh.
After this run the guest panicked; ssh timed out (RC=124) because the
kernel was in ddb. Panic captured in dfbsd-qemu/boot.log (see panic.txt).
============================================================
$ ssh -F ... dfbsd '/root/udev_uaf'
[*] DF-0055: udev_event_externalize shared-dict UAF trigger
[*] forking two /dev/udev readers (two softcs/markers)...
[*] generating device attach/detach events (tap create/destroy)...
[*] each event is externalized by reader #1 (frees shared dict),
    then by reader #2 (UAF: prop_object_retain on freed dict).
<hang — kernel panicked in reader #2's externalize>
SSH_RC=124   (timeout; guest was in ddb>)

--- serial console (dfbsd-qemu/boot.log) at this point ---
login: tap0: MAC address: 00:bd:16:71:00:00
panic: memory chunk 0xfffff80067b36860 is already free!
cpuid = 1
Trace beginning at frame 0xfffff800ab6ec448
chunk_mark_free() at chunk_mark_free+0xae 0xffffffff806554ce
chunk_mark_free() at chunk_mark_free+0xae 0xffffffff806554ce
_kfree() at _kfree+0x262 0xffffffff806577f2
_prop_dictionary_free() at _prop_dictionary_free+0xe0 0xffffffff809dc290
prop_object_release() at prop_object_release+0xfd 0xffffffff809e0ebd
udev_dev_read() at udev_dev_read+0x14f 0xffffffff806636df
Debugger("panic")

CPU1 stopping CPUs: 0x00000001
 stopped
Stopped at      Debugger+0x7c:  movb    $0,0xbd77f9(%rip)
db>

vm.sh status => down (guest in ddb, must reset)