Damn Vulnerable Kernel Module for FreeBSD (untested) and CheriBSD (purecap and hybrid kernels). This is a work-in-progress research prototype. Analysis in another repository.
- Buffer overflow (write)
- Stack
- Standard
- Subobject
- Heap
- General purpose kmem
- Standard
- Subobject
- Dedicated UMA zone
- Standard
- Subobject
- General purpose kmem
- Stack
- Linear memory disclosure (read)
- Stack
- Standard
- Subobject
- Heap
- General purpose kmem
- Standard
- Subobject
- Dedicated UMA zone
- Standard
- Subobject
- General purpose kmem
- Stack
- Heap use after free (trigger malloc, free, read and write in separate invocations)
- General purpose kmem zone (speify the size)
- Dedicated UMA zone (specify the name)
- Stack use after free (TODO: hardcoded, how do I make it more flexible?)
- Arbitrary memory disclosure (read)
- Arbitrary overwrite (write)
- Arbitrary integer/pointer increment
- Pointer hijack (TODO)
- Uninitialized memory (read/write)
- Stack
- Heap
- Double fetch
- Leak pagetable l0
In a FreeBSD host, (untested)
makeIn a CheriBSD host, to build a A64 module for a hybrid kernel,
env MACHINE_ARCH=aarch64 makeAnd to build a C64 module for a purecap kernel,
makeBuild artifacts are in obj/.
- Due to CHERI_CAPREVOKE and CHERI_CAPREVOKE_STATS macros, the offsets of
vm_mapemitted by the compiler (native compiling in a Morello box) won't match the kernel offsets.