DragonFlyBSD Kernel Audit
DF-0285 / run.sh
← back to finding ↓ download raw
#!/bin/sh
# DF-0285 run script.
#
# This finding is a WiFi-mesh-receive-path heap overflow. The audit guest is a
# KVM VM with NO wifi hardware, so the bug CANNOT be triggered at runtime here
# (see VERDICT.md "Reachability"). What we CAN and DO run is a rigorous
# code-level proof of the overflow and its reach:
#   1. layout_proof  -> offsetof() table proving ni_mltimer.toc is clobbered.
#   2. frame_craft   -> builds the exact attacker pcap payload.
#   3. grep the live kernel symbol table to prove the vulnerable code is
#      actually linked into the running kernel (just not reachable w/o a radio).
cd "$(dirname "$0")"
echo "========================================================"
echo "[1/3] LAYOUT PROOF (overflow reach into ni_mltimer.toc)"
echo "========================================================"
./layout_proof
echo
echo "========================================================"
echo "[2/3] ATTACKER PAYLOAD (crafted mesh beacon pcap)"
echo "========================================================"
./frame_craft df0285_beacon.pcap
echo "--- MESHID IE bytes (xxd, first 48 bytes of frame tail) ---"
# show the tail where the weaponized MESHID IE lives
if command -v xxd >/dev/null 2>&1; then
  xxd df0285_beacon.pcap | tail -20
else
  od -A d -t x1 df0285_beacon.pcap | tail -20
fi
echo
echo "========================================================"
echo "[3/3] LIVE KERNEL SYMBOL CHECK (vuln code IS linked in)"
echo "========================================================"
nm /boot/kernel/kernel 2>/dev/null | grep -iE 'ieee80211_parse_meshid|ieee80211_mesh_init_neighbor|mesh_peer_timeout_cb' || \
  echo "(nm not available / no symbol match)"
echo "--- config: mesh support compiled into GENERIC? ---"
grep -i "IEEE80211_SUPPORT_MESH" /sys/config/X86_64_GENERIC 2>/dev/null || \
  echo "(no /sys source on guest; verified on host: sys/config/X86_64_GENERIC:256)"
echo "--- wifi interfaces present? (expect none) ---"
ifconfig -l 2>/dev/null
echo "--- wlan module load status ---"
kldload wlan 2>&1 | head -1
echo
echo "RESULT: code-level proof complete. No runtime trigger on this guest (no wifi HW)."
echo "RUN_EXIT=0"