DragonFlyBSD Kernel Audit
DF-0315 / run.sh
← back to finding ↓ download raw
#!/bin/sh
# DF-0315 run script -- the DECISIVE test for the wg_peer destroy<->wg_output
# use-after-free claimed in DF-0315.
#
# This must run as ROOT: the destroy side issues SIOCSWG, which requires
# SYSCAP_RESTRICTEDROOT (sys/net/wg/if_wg.c:2671).  The wg_output (data-plane)
# side is driven by the senders and represents what an unprivileged local user
# can trigger; the destroy side represents what root (or a confused deputy)
# does.  Run as:  sudo ./run.sh
#
# Mode (NOEP) is chosen so the SEPARATE wg-send crash documented in
# endpoint_crash_separate_bug.txt does NOT fire, isolating the DF-0315 UAF.
#   NOEP=1       peer has no endpoint -> wg_output returns EHOSTUNREACH early,
#                so the wg-send taskqueue (the separate bug) never runs; this
#                exposes only the wg_aip_lookup -> wg_output UAF window.
#   NSEND=4      four sender threads drive wg_output via UDP into wg0.
#   NGROOM=6     six exec-churn groomers; proc-args allocs (kern_exec.c:602,
#                ~700 B) land in the same kmalloc-1024 zone as wg_peer, so a
#                freed peer slot is reclaimed with foreign bytes.
#
# Expected on a VULNERABLE kernel that lets the UAF window be hit: a kernel
# panic (page fault) in the wg_output / wg_peer_send_staged path shortly after
# start, with a panic signature in dfbsd-qemu/boot.log.
# Observed on THIS master DEV GENERIC kernel: NO panic; the run exits cleanly
# after ~16.8M sends / ~22k destroy-readd cycles and the guest stays up.
set -e
cd "$(dirname "$0")"
env NOEP=1 NSEND=4 NGROOM=6 ./wgrace 55
echo "RUN_EXIT=$?"