DragonFlyBSD Kernel Audit
DF-0079 / env.txt
← back to finding ↓ download raw
DF-0079 — guest environment for verification
============================================

UNAME     = DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64
CC        = cc 8.3 [DragonFly] Release/2019-02-22
NCPU      = 2
ATTACKER  = maxx, uid=1001, NOT in wheel (unprivileged)

Device permissions (the attack surface):
  crw-rw-rw-  1 root  wheel  14, 0x00000002  /dev/null   (mode 0666, world-writable)
  crw-rw-rw-  1 root  wheel  14, 0x0000000c  /dev/zero   (mode 0666, world-writable)

Vulnerable source (audited master DEV tree, sys/kern/kern_memio.c):
  222: mmrw(cdev_t dev, struct uio *uio, int flags)
  223: {
  224:     int o;
  225:     u_int c;                          <-- 32-bit, truncates 64-bit iov_len
  ...
  232:     while (uio->uio_resid > 0 && error == 0) {
  ...
  298:         c = iov->iov_len;             <-- /dev/null write: size_t->u_int TRUNC
  ...
  364:         c = iov->iov_len;             <-- /dev/zero write: same truncation
  ...
  380:     iov->iov_len -= c;                <-- subtracts c (=0) -> no progress
  382:     uio->uio_resid -= c;              <-- subtracts c (=0) -> loop spins forever

sys_write (sys/kern/sys_generic.c:336) only rejects (ssize_t)nbyte < 0, so
nbyte = 2^32 (positive 64-bit) passes through unchanged into iov_len/uio_resid.

Notes:
  - mem cdev is D_MPSAFE | D_QUICK (kern_memio.c:85); mmrw holds NO lock while
    spinning, so the wedge is a pure unyielding tight kernel loop, not a lockup.
  - The wedged thread monopolizes one CPU; if that CPU services the network IRQ
    (vtnet), sshd starves and the guest becomes unreachable within ~1 s. Even
    when ssh survives, the wedged process cannot be killed from userspace
    (no signal-check point in the loop) -> only a reboot recovers.