DF-0117 / manifest.json
{ "finding_id": "DF-0117", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "c7478e807e9011f89f95ac69b49d3c3b5e7da4a481acd4f9701dc063f31300ce", "tested_at": "2026-07-01T09:25:00Z", "verdict": "NOT_REPRODUCED", "impact": "none", "confidence": "high", "reproduce": { "build": "./build.sh", "run": "./run.sh 1 256 2000", "expected": "trigger exits 0, guest stays up, dmesg clean, debug.blk_active -> 0, no panic markers in dfbsd-qemu/boot.log (a vulnerable kernel would panic in diskiodone / kdmsg_state_free / page-fault on freed kdmsg_state_t)" }, "kernel_refs": [ "sys/kern/subr_diskiocom.c:375", "sys/kern/subr_diskiocom.c:451", "sys/kern/subr_diskiocom.c:503", "sys/kern/subr_diskiocom.c:554", "sys/kern/subr_diskiocom.c:580", "sys/kern/subr_diskiocom.c:582", "sys/kern/subr_diskiocom.c:650", "sys/kern/subr_diskiocom.c:661", "sys/kern/subr_diskiocom.c:662", "sys/kern/kern_dmsg.c:909", "sys/kern/kern_dmsg.c:910", "sys/kern/kern_dmsg.c:1670", "sys/kern/kern_dmsg.c:1707", "sys/kern/kern_dmsg.c:1748", "sys/kern/kern_dmsg.c:1988" ], "artifacts": [ {"path": "trigger.c", "type": "trigger-source", "desc": "DIOCRECLUSTER iocom attach + forged DMSG BLK_READ wire messages + connection-teardown race (single-shot per process)"}, {"path": "build.sh", "type": "build-script", "desc": "cc -O2 -o trigger trigger.c -lpthread"}, {"path": "run.sh", "type": "run-script", "desc": "pkill hammer2 + ./trigger <mode> <nreads> <preclose_us>; one mode per invocation (reset between modes)"}, {"path": "build.log", "type": "build-log", "desc": "final successful build, full output"}, {"path": "run.log", "type": "run-log", "desc": "decisive run: mode=1 (CREATE|DELETE eof=1), 256 reads, exit 0, no panic"}, {"path": "run.mode2.log", "type": "run-log", "desc": "mode=2 (CREATE then explicit DELETE), 512 reads, immediate close, exit 0"}, {"path": "run.hipress.log", "type": "run-log", "desc": "high-pressure mode=1, 1024 reads, immediate close, no panic, boot.log panic markers = 0"}, {"path": "env.txt", "type": "environment", "desc": "uname, cc version, post-run blk_active=0, no iocom threads, dmesg clean"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative: line-by-line lifetime trace, why the UAF is not reachable, evidence table"}, {"path": "README.md", "type": "readme", "desc": "summary, file list, build/run, expected output"}, {"path": "manifest.json", "type": "manifest", "desc": "this catalog"} ] } |