DragonFlyBSD Kernel Audit
DF-0291 / run.log
← back to finding ↓ download raw
=== DF-0291 code-level overflow proof (userspace model) ===
IEEE80211_NWID_LEN = 32 ; attacker im_ssid_len (uint8_t max) = 255

[1] SET-path: SIOCS80211 -> setmlme_assoc_adhoc, im_ssid_len = 255
  HEAP OVERFLOW #1 (iv_des_ssid[0].ssid, :1595): 223 bytes past the 32-byte field into ieee80211vap heap (guard first clobbered @+0)
  HEAP OVERFLOW #2 (sr->sr_ssid[0].ssid, :1600): 223 bytes past the 32-byte field; spilled into sr_ssid[1]/sr_ssid[2] and beyond (post-struct guard first clobbered @+0)

[2] GET-path amplification: SIOCG80211 IOC_SSID reads the corrupted iv_des_ssid[0].len = 255
  GET IOC_SSID: memcpy 255 bytes into 32-byte stack tmpssid -> 223 bytes written past end (first clobber @ stack+0)

[3] Contrast -- sibling IOC_SSID SET handler (:2671) DOES guard:
    if (ireq->i_val != 0 || ireq->i_len > IEEE80211_NWID_LEN) return EINVAL;
    setmlme_assoc_adhoc (:1580) has ONLY: if (ssid_len == 0) return EINVAL;
    -> the adhoc path is the ONLY unguarded sink.

CONCLUSION: the overflow logic is real (up to 223 bytes past a 32-byte
buffer on BOTH the heap set-path and the stack get-path). On the KVM
audit guest it is UNREACHABLE from userspace because no wlan vap can
be created without a wifi radio parent (see env.txt / VERDICT.md).
RUN_EXIT=0