DF-0315 / run.sh
#!/bin/sh # DF-0315 run script -- the DECISIVE test for the wg_peer destroy<->wg_output # use-after-free claimed in DF-0315. # # This must run as ROOT: the destroy side issues SIOCSWG, which requires # SYSCAP_RESTRICTEDROOT (sys/net/wg/if_wg.c:2671). The wg_output (data-plane) # side is driven by the senders and represents what an unprivileged local user # can trigger; the destroy side represents what root (or a confused deputy) # does. Run as: sudo ./run.sh # # Mode (NOEP) is chosen so the SEPARATE wg-send crash documented in # endpoint_crash_separate_bug.txt does NOT fire, isolating the DF-0315 UAF. # NOEP=1 peer has no endpoint -> wg_output returns EHOSTUNREACH early, # so the wg-send taskqueue (the separate bug) never runs; this # exposes only the wg_aip_lookup -> wg_output UAF window. # NSEND=4 four sender threads drive wg_output via UDP into wg0. # NGROOM=6 six exec-churn groomers; proc-args allocs (kern_exec.c:602, # ~700 B) land in the same kmalloc-1024 zone as wg_peer, so a # freed peer slot is reclaimed with foreign bytes. # # Expected on a VULNERABLE kernel that lets the UAF window be hit: a kernel # panic (page fault) in the wg_output / wg_peer_send_staged path shortly after # start, with a panic signature in dfbsd-qemu/boot.log. # Observed on THIS master DEV GENERIC kernel: NO panic; the run exits cleanly # after ~16.8M sends / ~22k destroy-readd cycles and the guest stays up. set -e cd "$(dirname "$0")" env NOEP=1 NSEND=4 NGROOM=6 ./wgrace 55 echo "RUN_EXIT=$?" |