DF-0079 — guest environment for verification ============================================ UNAME = DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64 CC = cc 8.3 [DragonFly] Release/2019-02-22 NCPU = 2 ATTACKER = maxx, uid=1001, NOT in wheel (unprivileged) Device permissions (the attack surface): crw-rw-rw- 1 root wheel 14, 0x00000002 /dev/null (mode 0666, world-writable) crw-rw-rw- 1 root wheel 14, 0x0000000c /dev/zero (mode 0666, world-writable) Vulnerable source (audited master DEV tree, sys/kern/kern_memio.c): 222: mmrw(cdev_t dev, struct uio *uio, int flags) 223: { 224: int o; 225: u_int c; <-- 32-bit, truncates 64-bit iov_len ... 232: while (uio->uio_resid > 0 && error == 0) { ... 298: c = iov->iov_len; <-- /dev/null write: size_t->u_int TRUNC ... 364: c = iov->iov_len; <-- /dev/zero write: same truncation ... 380: iov->iov_len -= c; <-- subtracts c (=0) -> no progress 382: uio->uio_resid -= c; <-- subtracts c (=0) -> loop spins forever sys_write (sys/kern/sys_generic.c:336) only rejects (ssize_t)nbyte < 0, so nbyte = 2^32 (positive 64-bit) passes through unchanged into iov_len/uio_resid. Notes: - mem cdev is D_MPSAFE | D_QUICK (kern_memio.c:85); mmrw holds NO lock while spinning, so the wedge is a pure unyielding tight kernel loop, not a lockup. - The wedged thread monopolizes one CPU; if that CPU services the network IRQ (vtnet), sshd starves and the guest becomes unreachable within ~1 s. Even when ssh survives, the wedged process cannot be killed from userspace (no signal-check point in the loop) -> only a reboot recovers.