{
  "finding_id": "DF-0281",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "9b7b10f181cf2caf37a35f0d519fdb6b876ba304e6499b91d7e2754c81f75871",
  "tested_at": "2026-07-01T14:18:00Z",
  "verdict": "INCONCLUSIVE",
  "impact": "none (code-level: deterministic kernel #DE/panic DoS, unreachable on this guest)",
  "confidence": "certain",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh",
    "expected": "Vulnerable arithmetic path: STEP 1..3 prints then '### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###' (the zero divisor that in-kernel raises #DE -> panic). Guarded path (-DFIX_MTU): 'NO FAULT: pcb->mtu was guarded ...'. This is a userspace replication of the kernel arithmetic, NOT a kernel trigger -- the ng_btsocket module is absent from this guest (see env.txt)."
  },
  "kernel_refs": [
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:3019",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:3283",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2429",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2438",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2356",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2553",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2881",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:1665",
    "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:432",
    "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:176",
    "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:45",
    "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:49",
    "sys/sys/socketvar.h:270",
    "sys/netgraph7/bluetooth/socket/Makefile"
  ],
  "artifacts": [
    {"path": "divzero_proof.c",  "type": "trigger-source",  "desc": "userspace replication of the exact kernel arithmetic on the confirmed divide-by-zero path (annotated with kernel source lines); NOT a kernel trigger"},
    {"path": "build.sh",         "type": "build-script",    "desc": "cc -O2 -Wall divzero_proof.c (and -DFIX_MTU guarded variant)"},
    {"path": "run.sh",           "type": "run-script",      "desc": "runs vulnerable path (expect SIGFPE) then guarded path (expect clean exit)"},
    {"path": "build.log",        "type": "build-log",       "desc": "full untrimmed cc output, both binaries, exit 0"},
    {"path": "run.log",          "type": "run-log",         "desc": "decisive run: vulnerable path reaches SIGFPE (#DE), guarded path completes cleanly"},
    {"path": "run.stress.log",   "type": "run-log",         "desc": "3x repeat of vulnerable path -- deterministic SIGFPE every run"},
    {"path": "env.txt",          "type": "environment",     "desc": "uname, cc, kldstat, kldload ng_btsocket (ENOENT), module search (empty), kernel-symbol count (0), AF_BLUETOOTH socket() = -1, no /usr/src/sys -- reachability evidence"},
    {"path": "fix.diff",         "type": "suggested-fix",   "desc": "git-apply-able: clamp mtu!=0 in set_pn (root cause) + guard divisor in send_credits (defense-in-depth); validated git apply --check rc=0"},
    {"path": "VERDICT.md",       "type": "verdict",         "desc": "full narrative: line-by-line static proof of the divide-by-zero + runtime-reachability analysis (module absent, needs bluetooth HW)"},
    {"path": "README.md",        "type": "readme",          "desc": "build/run/expected + how to reproduce the kernel panic on HW-equipped host + reachability caveat"},
    {"path": "manifest.json",    "type": "manifest",        "desc": "this catalog"}
  ]
}
