DF-0281 / manifest.json
{ "finding_id": "DF-0281", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "9b7b10f181cf2caf37a35f0d519fdb6b876ba304e6499b91d7e2754c81f75871", "tested_at": "2026-07-01T14:18:00Z", "verdict": "INCONCLUSIVE", "impact": "none (code-level: deterministic kernel #DE/panic DoS, unreachable on this guest)", "confidence": "certain", "reproduce": { "build": "./build.sh", "run": "./run.sh", "expected": "Vulnerable arithmetic path: STEP 1..3 prints then '### SIGFPE: divide by zero at step 3 (send_credits, line 3283) ###' (the zero divisor that in-kernel raises #DE -> panic). Guarded path (-DFIX_MTU): 'NO FAULT: pcb->mtu was guarded ...'. This is a userspace replication of the kernel arithmetic, NOT a kernel trigger -- the ng_btsocket module is absent from this guest (see env.txt)." }, "kernel_refs": [ "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:3019", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:3283", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2429", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2438", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2356", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2553", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2881", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:1665", "sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:432", "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:176", "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:45", "sys/netgraph7/bluetooth/include/ng_btsocket_rfcomm.h:49", "sys/sys/socketvar.h:270", "sys/netgraph7/bluetooth/socket/Makefile" ], "artifacts": [ {"path": "divzero_proof.c", "type": "trigger-source", "desc": "userspace replication of the exact kernel arithmetic on the confirmed divide-by-zero path (annotated with kernel source lines); NOT a kernel trigger"}, {"path": "build.sh", "type": "build-script", "desc": "cc -O2 -Wall divzero_proof.c (and -DFIX_MTU guarded variant)"}, {"path": "run.sh", "type": "run-script", "desc": "runs vulnerable path (expect SIGFPE) then guarded path (expect clean exit)"}, {"path": "build.log", "type": "build-log", "desc": "full untrimmed cc output, both binaries, exit 0"}, {"path": "run.log", "type": "run-log", "desc": "decisive run: vulnerable path reaches SIGFPE (#DE), guarded path completes cleanly"}, {"path": "run.stress.log", "type": "run-log", "desc": "3x repeat of vulnerable path -- deterministic SIGFPE every run"}, {"path": "env.txt", "type": "environment", "desc": "uname, cc, kldstat, kldload ng_btsocket (ENOENT), module search (empty), kernel-symbol count (0), AF_BLUETOOTH socket() = -1, no /usr/src/sys -- reachability evidence"}, {"path": "fix.diff", "type": "suggested-fix", "desc": "git-apply-able: clamp mtu!=0 in set_pn (root cause) + guard divisor in send_credits (defense-in-depth); validated git apply --check rc=0"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative: line-by-line static proof of the divide-by-zero + runtime-reachability analysis (module absent, needs bluetooth HW)"}, {"path": "README.md", "type": "readme", "desc": "build/run/expected + how to reproduce the kernel panic on HW-equipped host + reachability caveat"}, {"path": "manifest.json", "type": "manifest", "desc": "this catalog"} ] } |