DragonFlyBSD Kernel Audit
DF-0243 / run.log
← back to finding ↓ download raw
=== math proof: the wrap is equivalent to the signed op ===
offset=22 length=257 (offset<length: underflow branch active)

field        buggy-path      intended        expected        verdict
begin_envv   0x1016         0x1016         0x1016         ALL MATCH
endp         0x1016         0x1016         0x1016         ALL MATCH
space        262122         262122         262122         ALL MATCH

begin_envv = buf + 22  (well inside the ARG_MAX+PATH_MAX buffer)
=> the size_t wrap is mathematically equivalent to the signed op.
=> NO wild pointer, NO corruption, NO panic. FALSE POSITIVE.

=== argv[0] length = 256 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

=== argv[0] length = 1024 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

=== argv[0] length = 4096 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

=== argv[0] length = 32768 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

=== argv[0] length = 131072 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

=== argv[0] length = 262140 ===
DF0243_SCRIPT_RAN
DF0243_CHILD_EXIT code=0 (0=script ran /bin/sh; 127=execve failed errno-path)
DF0243_NO_PANIC: script executed normally -- underflow did not crash

RUN_OK (no panic at any length -- false positive confirmed)
RUN_SH_EXIT=0