DragonFlyBSD Kernel Audit
DF-0117 / manifest.json
← back to finding ↓ download raw
{
  "finding_id": "DF-0117",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "c7478e807e9011f89f95ac69b49d3c3b5e7da4a481acd4f9701dc063f31300ce",
  "tested_at": "2026-07-01T09:25:00Z",
  "verdict": "NOT_REPRODUCED",
  "impact": "none",
  "confidence": "high",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh 1 256 2000",
    "expected": "trigger exits 0, guest stays up, dmesg clean, debug.blk_active -> 0, no panic markers in dfbsd-qemu/boot.log (a vulnerable kernel would panic in diskiodone / kdmsg_state_free / page-fault on freed kdmsg_state_t)"
  },
  "kernel_refs": [
    "sys/kern/subr_diskiocom.c:375",
    "sys/kern/subr_diskiocom.c:451",
    "sys/kern/subr_diskiocom.c:503",
    "sys/kern/subr_diskiocom.c:554",
    "sys/kern/subr_diskiocom.c:580",
    "sys/kern/subr_diskiocom.c:582",
    "sys/kern/subr_diskiocom.c:650",
    "sys/kern/subr_diskiocom.c:661",
    "sys/kern/subr_diskiocom.c:662",
    "sys/kern/kern_dmsg.c:909",
    "sys/kern/kern_dmsg.c:910",
    "sys/kern/kern_dmsg.c:1670",
    "sys/kern/kern_dmsg.c:1707",
    "sys/kern/kern_dmsg.c:1748",
    "sys/kern/kern_dmsg.c:1988"
  ],
  "artifacts": [
    {"path": "trigger.c",        "type": "trigger-source", "desc": "DIOCRECLUSTER iocom attach + forged DMSG BLK_READ wire messages + connection-teardown race (single-shot per process)"},
    {"path": "build.sh",         "type": "build-script",   "desc": "cc -O2 -o trigger trigger.c -lpthread"},
    {"path": "run.sh",           "type": "run-script",     "desc": "pkill hammer2 + ./trigger <mode> <nreads> <preclose_us>; one mode per invocation (reset between modes)"},
    {"path": "build.log",        "type": "build-log",      "desc": "final successful build, full output"},
    {"path": "run.log",          "type": "run-log",        "desc": "decisive run: mode=1 (CREATE|DELETE eof=1), 256 reads, exit 0, no panic"},
    {"path": "run.mode2.log",    "type": "run-log",        "desc": "mode=2 (CREATE then explicit DELETE), 512 reads, immediate close, exit 0"},
    {"path": "run.hipress.log",  "type": "run-log",        "desc": "high-pressure mode=1, 1024 reads, immediate close, no panic, boot.log panic markers = 0"},
    {"path": "env.txt",          "type": "environment",    "desc": "uname, cc version, post-run blk_active=0, no iocom threads, dmesg clean"},
    {"path": "VERDICT.md",       "type": "verdict",        "desc": "full narrative: line-by-line lifetime trace, why the UAF is not reachable, evidence table"},
    {"path": "README.md",        "type": "readme",         "desc": "summary, file list, build/run, expected output"},
    {"path": "manifest.json",    "type": "manifest",       "desc": "this catalog"}
  ]
}