DF-0285 / run.sh
#!/bin/sh # DF-0285 run script. # # This finding is a WiFi-mesh-receive-path heap overflow. The audit guest is a # KVM VM with NO wifi hardware, so the bug CANNOT be triggered at runtime here # (see VERDICT.md "Reachability"). What we CAN and DO run is a rigorous # code-level proof of the overflow and its reach: # 1. layout_proof -> offsetof() table proving ni_mltimer.toc is clobbered. # 2. frame_craft -> builds the exact attacker pcap payload. # 3. grep the live kernel symbol table to prove the vulnerable code is # actually linked into the running kernel (just not reachable w/o a radio). cd "$(dirname "$0")" echo "========================================================" echo "[1/3] LAYOUT PROOF (overflow reach into ni_mltimer.toc)" echo "========================================================" ./layout_proof echo echo "========================================================" echo "[2/3] ATTACKER PAYLOAD (crafted mesh beacon pcap)" echo "========================================================" ./frame_craft df0285_beacon.pcap echo "--- MESHID IE bytes (xxd, first 48 bytes of frame tail) ---" # show the tail where the weaponized MESHID IE lives if command -v xxd >/dev/null 2>&1; then xxd df0285_beacon.pcap | tail -20 else od -A d -t x1 df0285_beacon.pcap | tail -20 fi echo echo "========================================================" echo "[3/3] LIVE KERNEL SYMBOL CHECK (vuln code IS linked in)" echo "========================================================" nm /boot/kernel/kernel 2>/dev/null | grep -iE 'ieee80211_parse_meshid|ieee80211_mesh_init_neighbor|mesh_peer_timeout_cb' || \ echo "(nm not available / no symbol match)" echo "--- config: mesh support compiled into GENERIC? ---" grep -i "IEEE80211_SUPPORT_MESH" /sys/config/X86_64_GENERIC 2>/dev/null || \ echo "(no /sys source on guest; verified on host: sys/config/X86_64_GENERIC:256)" echo "--- wifi interfaces present? (expect none) ---" ifconfig -l 2>/dev/null echo "--- wlan module load status ---" kldload wlan 2>&1 | head -1 echo echo "RESULT: code-level proof complete. No runtime trigger on this guest (no wifi HW)." echo "RUN_EXIT=0" |