DF-0079 / env.txt
DF-0079 — guest environment for verification
============================================
UNAME = DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64
CC = cc 8.3 [DragonFly] Release/2019-02-22
NCPU = 2
ATTACKER = maxx, uid=1001, NOT in wheel (unprivileged)
Device permissions (the attack surface):
crw-rw-rw- 1 root wheel 14, 0x00000002 /dev/null (mode 0666, world-writable)
crw-rw-rw- 1 root wheel 14, 0x0000000c /dev/zero (mode 0666, world-writable)
Vulnerable source (audited master DEV tree, sys/kern/kern_memio.c):
222: mmrw(cdev_t dev, struct uio *uio, int flags)
223: {
224: int o;
225: u_int c; <-- 32-bit, truncates 64-bit iov_len
...
232: while (uio->uio_resid > 0 && error == 0) {
...
298: c = iov->iov_len; <-- /dev/null write: size_t->u_int TRUNC
...
364: c = iov->iov_len; <-- /dev/zero write: same truncation
...
380: iov->iov_len -= c; <-- subtracts c (=0) -> no progress
382: uio->uio_resid -= c; <-- subtracts c (=0) -> loop spins forever
sys_write (sys/kern/sys_generic.c:336) only rejects (ssize_t)nbyte < 0, so
nbyte = 2^32 (positive 64-bit) passes through unchanged into iov_len/uio_resid.
Notes:
- mem cdev is D_MPSAFE | D_QUICK (kern_memio.c:85); mmrw holds NO lock while
spinning, so the wedge is a pure unyielding tight kernel loop, not a lockup.
- The wedged thread monopolizes one CPU; if that CPU services the network IRQ
(vtnet), sshd starves and the guest becomes unreachable within ~1 s. Even
when ssh survives, the wedged process cannot be killed from userspace
(no signal-check point in the loop) -> only a reboot recovers.