├── DEMOS.md
├── LICENSE
├── README.md
├── misc
    ├── boot_times
    │   ├── custom_kernel.diff
    │   ├── loader.conf
    │   ├── measure.sh
    │   ├── result.txt
    │   └── timer_vm.sh
    ├── host_setup
    │   └── setup.sh
    └── vm_setup
    │   ├── fuzzer.sh
    │   ├── kern.diff
    │   ├── loader.conf
    │   ├── make_kern.sh
    │   ├── rc.conf
    │   └── sysctl.conf
├── presentation.pdf
├── src
    ├── README.md
    ├── __init__.py
    ├── ext_superblock_parser.py
    ├── fs_fuzzer.py
    ├── fs_generator.py
    ├── fs_mutator.py
    ├── fs_util.py
    └── ufs_superblock_parser.py
└── testcases
    ├── __init__.py
    ├── core_features
        ├── default.txt
        ├── extract_core_features.py
        └── verbose.txt
    ├── poc_1
        ├── README.md
        └── poc1_ufs2
    ├── poc_2
        ├── README.md
        └── poc2_ufs2
    ├── poc_3
        ├── README.md
        ├── poc3_all_ufs2
        ├── poc3_sb0_ufs2
        ├── poc3_sb1_ufs2
        └── poc3_sb2_ufs2
    ├── poc_4
        └── poc4_ufs2
    ├── poc_5
        ├── poc5_ext
        └── poc5_ufs
    └── poc_6
        ├── PoC.sh
        └── poc6_ufs2_nd


/DEMOS.md:
--------------------------------------------------------------------------------
 1 | ## Test case generator
 2 | 
 3 | 1. sudo ./fs_generator.py -fs ufs2 -s 10 -n 'HITB_ufs' -o $(pwd)
 4 | 2. sudo ./fs_generator.py -fs ext2 -s 10 -n 'HITB_ext2' -o $(pwd)
 5 | 3. sudo ./fs_generator.py -fs zfs -s 64 -n 'HITB_zfs' -o $(pwd)
 6 | 4. sudo ./fs_generator.py -fs ext2 -s 15 -n 'HITB_ext2_p' -o $(pwd) -p 10 ps 1024
 7 | 
 8 | ## Mutation
 9 | 
10 | 1. file HITB_ufs
11 | 1.1 /fs_mutator.py -f HITB_ufs -t sb all fs_fsmnt 'Hello world @ HITB 2020 Lockdown Edition :)!' -o HITB_ufs_fsmnt
12 | 1.2 file HITB_ufs_fsmnt
13 | 1.3 ./fs_fuzzer.py -2
14 | 
15 | 
16 | 2. ./fs_mutator.py -f HITB_ufs -t sb 0 fs_magic 'AAAA' -o HITB_ufs_fsmagic
17 | 2.1 file HITB_ufs_fsmagic
18 | 2.2 ./ufs_superblock_parser.py -f HITB_ufs_fsmagic -ps 0
19 | 2.3 ./fs_fuzzer.py -3
20 | 2.4 Change to sb1 if time.. 
21 | 
22 | 3. ./fs_mutator.py -f HITB_ufs --prototype sb byte_flip ff 0 -o HITB_ufs_sb0_bf_ff
23 | 4. ./fs_mutator.py -f HITB_ufs --prototype cg byte_flip rnd all -o HITB_ufs_cgall_bf_rnd
24 | 5. ./fs_mutator.py -f HITB_ufs --prototype data block rnd '' -o HITB_ufs_data_block_rnd
25 | 6. ./fs_mutator.py -f HITB_ufs -o HITB_ufs_rad --radamsa --determinism
26 | 6.1 binwalk -W HITB_ufs HITB_ufs_rad
27 | 7. ./fs_mutator.py -f HITB_ufs -o HITB_ufs_rad --radamsa --determinisn --restore
28 | 7.1 file HITB_ufs_rad
29 | 
30 | ## User Emul:
31 | 
32 | 1. ./fs_fuzzer.py -4    ; Mount no user emul
33 | 2. ./fs_fuzzer.py -5    ; some user emul
34 | 
35 | ## Monitoring
36 | 
37 | 1. less default.txt
38 | 1.1 ./extract_core_features.py default.txt
39 | 2. less verbose.txt
40 | 2.1 ./extract_core_features.py verbose.txt
41 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # fs-fuzzer
 2 | My Material for the HITB 2020 Lockdown edition presentation in April.
 3 | This repo contains the presentation slides as well as all used scripts that were used to demonstrate the demos.
 4 | 
 5 |  ### Update May 2020
 6 |  
 7 | **[FULL FUZZING FRAMEWORK HERE](https://github.com/0xricksanchez/fisy-fuzz)**
 8 | 
 9 | ## fs_generator.py
10 | 
11 | This standalone script can be used to generate different file systems across the different support host systems:
12 | 
13 | ```
14 | SUPPORTED_FILE_SYSTEMS = {
15 |     "freebsd": ["ufs1", "ufs2", "zfs", "ext2", "ext3", "ext4"],
16 |     "netbsd": ["4.3bsd", "ufs1", "ufs2", "ext2"],
17 |     "openbsd": ["4.3bsd", "ufs1", "ufs2", "ext2"],
18 |     "linux": ["uf1", "ufs2", "ext2", "ext3", "ext4", "zfs"],
19 |     "darwin": ["apfs"],
20 | }
21 | ```
22 | 
23 | Depending on the supplied flags to `fs_generator.py` the generated file system is either empty or contains a randomly generated file system hierarchy.
24 | The files will be directories, symbolic as well as hard links and binary files.
25 | 
26 | ### Example:
27 | 
28 | ```
29 | $ sudo python3 fs_generator.py -fs ext4 -s 15 -n "ubuntu_ext4_15mb" -o /home/dev/HITB/scripts/create_fs -p 10 -ps 1024
30 | ```
31 | 
32 | This creates a *ext4* disk image of size *15 MB* on a Ubuntu host system.
33 | It will contain *10* files of which the maximum file size for each will be at most *1024 bytes*.
34 | Finally, it will be saved at */home/dev/HITB/scripts/create_fs/*:
35 | 
36 | ```bash
37 | $ ls /home/dev/HITB/scripts/create_fs/ubuntu_ext4_15mb
38 | /home/dev/HITB/scripts/create_fs/ubuntu_ext4_15mb
39 | ```
40 | 
41 | 
42 | ## fs_mutator.py
43 | 
44 | Is a standalone mutation script that supports mutation via *radamsa*, *targeted mutation* of specific metadata fields as well as less targeted variant
45 | where you can write *n bytes* of *0x00*/*0xff*/*random* to either the *superblock*, *cylinder groups* or *data section*.
46 | 
47 | ### Examples
48 | 
49 | ```
50 | $ ./fs_mutator.py -f HITB_ufs -o HITB_ufs_rad --radamsa --determinism --restore
51 | ```
52 | 
53 | Takes the HITB_ufs file system and applies a seeded full binary radamsa mutation to it.
54 | Afterwards the magic bytes are restored.
55 | The output is saved in a file called *HITB_ufs_rad*.
56 | 
57 | 
58 | ```
59 | $ ./fs_mutator.py -f HITB_ufs -t sb 0 fs_magic 'AAAA' -o HITB_ufs_fsmagic
60 | ```
61 | This overwrites the 4 byte magic sequence in the 0th ufs superblock with *'AAAA'*.
62 | 
63 | ```
64 | $ ./fs_mutator.py -f HITB_ufs -t sb all fs_fsmnt 'Hello World @ HITB 2020 Lockdown' -o HITB_ufs_fsmnt
65 | ```
66 | This overwrites all superblock fields that correspond to the *fs_fsmnt* name with the provided *Hello World...* string.
67 | 
68 | 
69 | ## fs_fuzzer.py
70 | 
71 | This is a minimal working demo fuzzer, which includes 5 PoCs. 
72 | You can read the code and understand the concept behind accessing and playing with remote machines.
73 | 
74 | ## fs_util.py, ext-/ufs-superblock_parser.py
75 | 
76 | Provide some helper scripts to parse metadata fields and so forth.
77 | 


--------------------------------------------------------------------------------
/misc/boot_times/custom_kernel.diff:
--------------------------------------------------------------------------------
  1 | < #
  2 | < # GENERIC -- Generic kernel configuration file for FreeBSD/amd64
  3 | < #
  4 | < # For more information on this file, please read the config(5) manual page,
  5 | < # and/or the handbook section on Kernel Configuration Files:
  6 | < #
  7 | < #    https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
  8 | < #
  9 | < # The handbook is also available locally in /usr/share/doc/handbook
 10 | < # if you've installed the doc distribution, otherwise always see the
 11 | < # FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
 12 | < # latest information.
 13 | < #
 14 | < # An exhaustive list of options and more detailed explanations of the
 15 | < # device lines is also present in the ../../conf/NOTES and NOTES files.
 16 | < # If you are in doubt as to the purpose or necessity of a line, check first
 17 | < # in NOTES.
 18 | < #
 19 | < # $FreeBSD: releng/12.1/sys/amd64/conf/GENERIC 346179 2019-04-13 08:52:52Z dim $
 20 | 90a72,78
 21 | > # ADDED_START
 22 | > #options     DDB
 23 | > options     INVARIANTS
 24 | > options     INVARIANT_SUPPORT
 25 | > options     DIAGNOSTIC
 26 | > options     DEBUG_REDZONE
 27 | > # ADDED_END
 28 | 112,114d99
 29 | < # Floppy drives
 30 | < device		fdc
 31 | <
 32 | 121,136d105
 33 | < # SCSI Controllers
 34 | < device		ahc			# AHA2940 and onboard AIC7xxx devices
 35 | < device		ahd			# AHA39320/29320 and onboard AIC79xx devices
 36 | < device		esp			# AMD Am53C974 (Tekram DC-390(T))
 37 | < device		hptiop			# Highpoint RocketRaid 3xxx series
 38 | < device		isp			# Qlogic family
 39 | < #device		ispfw			# Firmware for QLogic HBAs- normally a module
 40 | < device		mpt			# LSI-Logic MPT-Fusion
 41 | < device		mps			# LSI-Logic MPT-Fusion 2
 42 | < device		mpr			# LSI-Logic MPT-Fusion 3
 43 | < #device		ncr			# NCR/Symbios Logic
 44 | < device		sym			# NCR/Symbios Logic (newer chipsets + those of `ncr')
 45 | < device		trm			# Tekram DC395U/UW/F DC315U adapters
 46 | < device		isci			# Intel C600 SAS controller
 47 | < device		ocs_fc			# Emulex FC adapters
 48 | <
 49 | 147,175d115
 50 | < # RAID controllers interfaced to the SCSI subsystem
 51 | < device		amr			# AMI MegaRAID
 52 | < device		arcmsr			# Areca SATA II RAID
 53 | < device		ciss			# Compaq Smart RAID 5*
 54 | < device		dpt			# DPT Smartcache III, IV - See NOTES for options
 55 | < device		hptmv			# Highpoint RocketRAID 182x
 56 | < device		hptnr			# Highpoint DC7280, R750
 57 | < device		hptrr			# Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
 58 | < device		hpt27xx			# Highpoint RocketRAID 27xx
 59 | < device		iir			# Intel Integrated RAID
 60 | < device		ips			# IBM (Adaptec) ServeRAID
 61 | < device		mly			# Mylex AcceleRAID/eXtremeRAID
 62 | < device		twa			# 3ware 9000 series PATA/SATA RAID
 63 | < device		smartpqi		# Microsemi smartpqi driver
 64 | < device		tws			# LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
 65 | <
 66 | < # RAID controllers
 67 | < device		aac			# Adaptec FSA RAID
 68 | < device		aacp			# SCSI passthrough for aac (requires CAM)
 69 | < device		aacraid			# Adaptec by PMC RAID
 70 | < device		ida			# Compaq Smart RAID
 71 | < device		mfi			# LSI MegaRAID SAS
 72 | < device		mlx			# Mylex DAC960 family
 73 | < device		mrsas			# LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
 74 | < device		pmspcv			# PMC-Sierra SAS/SATA Controller driver
 75 | < #XXX pointer/int warnings
 76 | < #device		pst			# Promise Supertrak SX6000
 77 | < device		twe			# 3ware ATA RAID
 78 | <
 79 | 180,186d119
 80 | < # atkbdc0 controls both the keyboard and the PS/2 mouse
 81 | < device		atkbdc			# AT keyboard controller
 82 | < device		atkbd			# AT keyboard
 83 | < device		psm			# PS/2 mouse
 84 | <
 85 | < device		kbdmux			# keyboard multiplexer
 86 | <
 87 | 203,211d135
 88 | < # PCCARD (PCMCIA) support
 89 | < # PCMCIA and cardbus bridge support
 90 | < device		cbb			# cardbus (yenta) bridge
 91 | < device		pccard			# PC Card (16-bit) bus
 92 | < device		cardbus			# CardBus (32-bit) bus
 93 | <
 94 | < # Serial (COM) ports
 95 | < device		uart			# Generic UART driver
 96 | <
 97 | 215d138
 98 | < device		lpt			# Printer
 99 | 217d139
100 | < #device		vpo			# Requires scbus and da
101 | 219d140
102 | < device		puc			# Multi I/O cards and multi-channel UARTs
103 | 224,228d144
104 | < device		ix			# Intel PRO/10GbE PCIE PF Ethernet
105 | < device		ixv			# Intel PRO/10GbE PCIE VF Ethernet
106 | < device		ixl			# Intel 700 Series Physical Function
107 | < device		iavf			# Intel Adaptive Virtual Function
108 | < device		vmx			# VMware VMXNET3 Ethernet
109 | 230,302d145
110 | < # PCI Ethernet NICs.
111 | < device		bxe			# Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
112 | < device		de			# DEC/Intel DC21x4x (``Tulip'')
113 | < device		le			# AMD Am7900 LANCE and Am79C9xx PCnet
114 | < device		ti			# Alteon Networks Tigon I/II gigabit Ethernet
115 | < device		txp			# 3Com 3cR990 (``Typhoon'')
116 | < device		vx			# 3Com 3c590, 3c595 (``Vortex'')
117 | <
118 | < # PCI Ethernet NICs that use the common MII bus controller code.
119 | < # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
120 | < device		miibus			# MII bus support
121 | < device		ae			# Attansic/Atheros L2 FastEthernet
122 | < device		age			# Attansic/Atheros L1 Gigabit Ethernet
123 | < device		alc			# Atheros AR8131/AR8132 Ethernet
124 | < device		ale			# Atheros AR8121/AR8113/AR8114 Ethernet
125 | < device		bce			# Broadcom BCM5706/BCM5708 Gigabit Ethernet
126 | < device		bfe			# Broadcom BCM440x 10/100 Ethernet
127 | < device		bge			# Broadcom BCM570xx Gigabit Ethernet
128 | < device		cas			# Sun Cassini/Cassini+ and NS DP83065 Saturn
129 | < device		dc			# DEC/Intel 21143 and various workalikes
130 | < device		et			# Agere ET1310 10/100/Gigabit Ethernet
131 | < device		fxp			# Intel EtherExpress PRO/100B (82557, 82558)
132 | < device		gem			# Sun GEM/Sun ERI/Apple GMAC
133 | < device		hme			# Sun HME (Happy Meal Ethernet)
134 | < device		jme			# JMicron JMC250 Gigabit/JMC260 Fast Ethernet
135 | < device		lge			# Level 1 LXT1001 gigabit Ethernet
136 | < device		msk			# Marvell/SysKonnect Yukon II Gigabit Ethernet
137 | < device		nfe			# nVidia nForce MCP on-board Ethernet
138 | < device		nge			# NatSemi DP83820 gigabit Ethernet
139 | < device		pcn			# AMD Am79C97x PCI 10/100 (precedence over 'le')
140 | < device		re			# RealTek 8139C+/8169/8169S/8110S
141 | < device		rl			# RealTek 8129/8139
142 | < device		sf			# Adaptec AIC-6915 (``Starfire'')
143 | < device		sge			# Silicon Integrated Systems SiS190/191
144 | < device		sis			# Silicon Integrated Systems SiS 900/SiS 7016
145 | < device		sk			# SysKonnect SK-984x & SK-982x gigabit Ethernet
146 | < device		ste			# Sundance ST201 (D-Link DFE-550TX)
147 | < device		stge			# Sundance/Tamarack TC9021 gigabit Ethernet
148 | < device		tl			# Texas Instruments ThunderLAN
149 | < device		tx			# SMC EtherPower II (83c170 ``EPIC'')
150 | < device		vge			# VIA VT612x gigabit Ethernet
151 | < device		vr			# VIA Rhine, Rhine II
152 | < device		wb			# Winbond W89C840F
153 | < device		xl			# 3Com 3c90x (``Boomerang'', ``Cyclone'')
154 | <
155 | < # Wireless NIC cards
156 | < device		wlan			# 802.11 support
157 | < options 	IEEE80211_DEBUG		# enable debug msgs
158 | < options 	IEEE80211_AMPDU_AGE	# age frames in AMPDU reorder q's
159 | < options 	IEEE80211_SUPPORT_MESH	# enable 802.11s draft support
160 | < device		wlan_wep		# 802.11 WEP support
161 | < device		wlan_ccmp		# 802.11 CCMP support
162 | < device		wlan_tkip		# 802.11 TKIP support
163 | < device		wlan_amrr		# AMRR transmit rate control algorithm
164 | < device		an			# Aironet 4500/4800 802.11 wireless NICs.
165 | < device		ath			# Atheros NICs
166 | < device		ath_pci			# Atheros pci/cardbus glue
167 | < device		ath_hal			# pci/cardbus chip support
168 | < options 	AH_SUPPORT_AR5416	# enable AR5416 tx/rx descriptors
169 | < options 	AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
170 | < options 	ATH_ENABLE_11N		# Enable 802.11n support for AR5416 and later
171 | < device		ath_rate_sample		# SampleRate tx rate control for ath
172 | < #device		bwi			# Broadcom BCM430x/BCM431x wireless NICs.
173 | < #device		bwn			# Broadcom BCM43xx wireless NICs.
174 | < device		ipw			# Intel 2100 wireless NICs.
175 | < device		iwi			# Intel 2200BG/2225BG/2915ABG wireless NICs.
176 | < device		iwn			# Intel 4965/1000/5000/6000 wireless NICs.
177 | < device		malo			# Marvell Libertas wireless NICs.
178 | < device		mwl			# Marvell 88W8363 802.11n wireless NICs.
179 | < device		ral			# Ralink Technology RT2500 wireless NICs.
180 | < device		wi			# WaveLAN/Intersil/Symbol 802.11 wireless NICs.
181 | < device		wpi			# Intel 3945ABG wireless NICs.
182 | <
183 | 330,344d172
184 | <
185 | < # Sound support
186 | < device		sound			# Generic sound driver (required)
187 | < device		snd_cmi			# CMedia CMI8338/CMI8738
188 | < device		snd_csa			# Crystal Semiconductor CS461x/428x
189 | < device		snd_emu10kx		# Creative SoundBlaster Live! and Audigy
190 | < device		snd_es137x		# Ensoniq AudioPCI ES137x
191 | < device		snd_hda			# Intel High Definition Audio
192 | < device		snd_ich			# Intel, NVidia and other ICH AC'97 Audio
193 | < device		snd_via8233		# VIA VT8233x Audio
194 | <
195 | < # MMC/SD
196 | < device		mmc			# MMC/SD bus
197 | < device		mmcsd			# MMC/SD memory card
198 | < device		sdhci			# Generic PCI SD Host Controller


--------------------------------------------------------------------------------
/misc/boot_times/loader.conf:
--------------------------------------------------------------------------------
1 | autoboot_delay="0"
2 | dumpdev="AUTO"


--------------------------------------------------------------------------------
/misc/boot_times/measure.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | measure() {
 5 |     sleep 1
 6 |     for ((i = 1; i <= $2; i++)); do
 7 |         echo -en "[+] Run $i"
 8 |         time ./timer_vm.sh $1 && sudo virsh reboot $1 2>/dev/null && sleep 1
 9 |     done
10 | }
11 | 
12 | 
13 | if [ $# -ne "3" ]; then
14 | 	echo "[!] Expected Arguments:"
15 | 	echo "  Arg 1: Name of vm"
16 | 	echo "  Arg 2: Action: start/reboot"
17 | 	echo "  Arg 3: Number of measurement runs"
18 | else
19 | 	rv=$( virsh list | grep -c "$1" )
20 | 	if [ "$rv" -eq "1" ]; then
21 | 		case "$2" in
22 |             start) sudo virsh $2 $1 2>/dev/null && measure $1 $3
23 | 				;;
24 |             reboot) sudo virsh $2 $1 2>/dev/null && measure $1 $3
25 | 				;;
26 | 			*) echo -n "Bad argument: $2"
27 | 				;;
28 | 		esac
29 | 	else
30 | 		echo "VM $1 not found ..!"
31 | 		exit 1
32 | 	fi
33 | fi
34 | exit 0


--------------------------------------------------------------------------------
/misc/boot_times/result.txt:
--------------------------------------------------------------------------------
1 |       | fat    | fat_diag       | small_diag      | small_diag_boot_delay |
2 | ------|--------|----------------|-----------------|-----------------------|
3 | Run 1:| 39.23s | 41.97s (+7.0%) | 37.79s (-10.0%) | 26.10s (-38.2%)       |
4 | Run 2:| 39.77s | 40.80s (+2.6%) | 36.24s (-12.1%) | 27.68s (-32.2%)       |
5 | Run 3:| 38.15s | 40.79s (+6.9%) | 37.26s (-8.7%)  | 27.11s (-34.5%)       |
6 | Run 4:| 39.12s | 38.82s (-0.1%) | 36.73s (-5.4%)  | 26.01s (-33.0%)       |
7 | Run 5:| 39.76s | 41.45s (+4.3%) | 36.71s (-11.5%) | 25.58s (-38.3%)       |
8 | ======|========|================|=================|=======================|
9 | AVG:  | 39.21s | 40.77s (+4%)   | 36.95s (-9.4%)  | 26,50s (-35.0%)       |


--------------------------------------------------------------------------------
/misc/boot_times/timer_vm.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | until nc -vzw 2 $(sudo virsh domifaddr $1 | tail -n 2 | cut -d" " -f21 | cut -d"/" -f1 | xargs) 22 2>/dev/null; do
4 | 	sleep 0.5
5 | done
6 | 


--------------------------------------------------------------------------------
/misc/host_setup/setup.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | set -e
 3 | 
 4 | echo "[*] Installing system dependencies..."
 5 | sudo apt-get install -y python3-dev python3-pip qemu-kvm libvirt-clients libvirt-dev libvirt-daemon-system gcc \
 6 |                         libsdl1.2-dev zlib1g-dev libasound2-dev linux-kernel-headers pkg-config libgnutls28-dev \
 7 |                         libpci-dev libglib2.0-dev libfdt-dev libpixman-1-dev net-tools virtinst git libnl-3-dev \
 8 |                         libnl-route-3-dev libxml2-dev libpciaccess-dev libyajl-dev xsltproc libdevmapper-dev \
 9 |                         uuid-dev qemu qemu-block-extra qemu-guest-agent qemu-system qemu-system-common libvirt-bin\
10 |                         qemu-utils qemu-user qemu-efi openbios-ppc sgabios systemtap pm-utils open-iscsi debootstrap \
11 |                         zfsutils-linux file
12 | 
13 | 
14 | mkdir -p ~/git
15 | 
16 | echo "[*] Installing radamsa"
17 | git clone https://gitlab.com/akihe/radamsa.git ~/git/radamsa/
18 | cd ~/git/radamsa
19 | make
20 | sudo make install
21 | 
22 | echo "[*] Installing needed python packages..."
23 | sudo -EH python3 -m pip install libvirt-python wget paramiko pprint scp python-magic Pillow colorama seaborn
24 | 
25 | echo "[*] Setting up users..."
26 | sudo usermod -aG libvirt "$USER"
27 | sudo usermod -aG libvirt-qemu "$USER"
28 | sudo usermod -aG kvm "$USER"
29 | 
30 | echo "[*] Testing install..."
31 | sudo systemctl enable libvirtd
32 | sudo systemctl start libvirtd
33 | virsh list --all >> /dev/null
34 | if [[ $? == 0 ]]; then
35 |   echo "[+] libvirt successfully set up!"
36 | else
37 |   echo "[-] libvirt failed to install!"
38 | fi
39 | 
40 | kvm-ok >>  /dev/null
41 | if [[ $? == 0 ]]; then
42 |   echo "[+] kvm support successfully set up!"
43 |   cpu_check=$(cat /proc/cpuinfo | grep "model name" | uniq | grep -oh ": [a-zA-Z]*" | cut -c 3-)
44 |   if [[ ${cpu_check} == "Intel" ]]; then
45 |     modprobe kvm_intel
46 |   elif [[ ${cpu_check} == "AMD" ]]; then
47 |     modprobe kvm_amd
48 |   else
49 |     echo "[*] Unknown CPU, skipping modprobe"
50 |   fi
51 | else
52 |   echo "[-] kvm support failed to install!"
53 | fi
54 | 
55 | installed_qemu_packages=$(dpkg -l | grep '^ii' | grep -o '  qemu-[a-zA-Z0-9-]*')
56 | echo "[*] Installed QEMU modules:""${installed_qemu_packages}"
57 | 


--------------------------------------------------------------------------------
/misc/vm_setup/fuzzer.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env sh
 2 | # Some stuff to setup for the FreeBSD fuzzer instances..
 3 | 
 4 | pkg install -y vim python3 e2fsprogs p7zip gdb wget curl
 5 | kldload ext2fs
 6 | sed -i -e 's/#PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config
 7 | sed -i -e 's/#PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
 8 | 
 9 | /etc/rc.d/sshd restart
10 | 
11 | echo "kern.panic_reboot_wait_time=-1" >> /etc/sysctl.conf # Doesnt reboot on crash
12 | # echo "kern.panic_reboot_wait_time=0" >> /etc/sysctl.conf # immediate reboot on crash
13 | echo "vm.redzone.panic=1" >> /etc/sysctl.conf


--------------------------------------------------------------------------------
/misc/vm_setup/kern.diff:
--------------------------------------------------------------------------------
  1 | 1,19d0
  2 | < #
  3 | < # GENERIC -- Generic kernel configuration file for FreeBSD/amd64
  4 | < #
  5 | < # For more information on this file, please read the config(5) manual page,
  6 | < # and/or the handbook section on Kernel Configuration Files:
  7 | < #
  8 | < #    https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
  9 | < #
 10 | < # The handbook is also available locally in /usr/share/doc/handbook
 11 | < # if you've installed the doc distribution, otherwise always see the
 12 | < # FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
 13 | < # latest information.
 14 | < #
 15 | < # An exhaustive list of options and more detailed explanations of the
 16 | < # device lines is also present in the ../../conf/NOTES and NOTES files.
 17 | < # If you are in doubt as to the purpose or necessity of a line, check first
 18 | < # in NOTES.
 19 | < #
 20 | < # $FreeBSD: releng/12.1/sys/amd64/conf/GENERIC 346179 2019-04-13 08:52:52Z dim $
 21 | 90a72,81
 22 | > # ADDED_START
 23 | > options     DDB
 24 | > options     KDB_UNATTENDED
 25 | > # options     DDB_NUMSYM
 26 | > options     INVARIANTS
 27 | > options     INVARIANT_SUPPORT
 28 | > options     DIAGNOSTIC
 29 | > options     DEBUG_REDZONE
 30 | > #options     PANIC_REBOOT_WAIT_TIME=0
 31 | > # ADDED_END
 32 | 91a83
 33 | >
 34 | 112,114d103
 35 | < # Floppy drives
 36 | < device		fdc
 37 | <
 38 | 121,136d109
 39 | < # SCSI Controllers
 40 | < device		ahc			# AHA2940 and onboard AIC7xxx devices
 41 | < device		ahd			# AHA39320/29320 and onboard AIC79xx devices
 42 | < device		esp			# AMD Am53C974 (Tekram DC-390(T))
 43 | < device		hptiop			# Highpoint RocketRaid 3xxx series
 44 | < device		isp			# Qlogic family
 45 | < #device		ispfw			# Firmware for QLogic HBAs- normally a module
 46 | < device		mpt			# LSI-Logic MPT-Fusion
 47 | < device		mps			# LSI-Logic MPT-Fusion 2
 48 | < device		mpr			# LSI-Logic MPT-Fusion 3
 49 | < #device		ncr			# NCR/Symbios Logic
 50 | < device		sym			# NCR/Symbios Logic (newer chipsets + those of `ncr')
 51 | < device		trm			# Tekram DC395U/UW/F DC315U adapters
 52 | < device		isci			# Intel C600 SAS controller
 53 | < device		ocs_fc			# Emulex FC adapters
 54 | <
 55 | 147,175d119
 56 | < # RAID controllers interfaced to the SCSI subsystem
 57 | < device		amr			# AMI MegaRAID
 58 | < device		arcmsr			# Areca SATA II RAID
 59 | < device		ciss			# Compaq Smart RAID 5*
 60 | < device		dpt			# DPT Smartcache III, IV - See NOTES for options
 61 | < device		hptmv			# Highpoint RocketRAID 182x
 62 | < device		hptnr			# Highpoint DC7280, R750
 63 | < device		hptrr			# Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
 64 | < device		hpt27xx			# Highpoint RocketRAID 27xx
 65 | < device		iir			# Intel Integrated RAID
 66 | < device		ips			# IBM (Adaptec) ServeRAID
 67 | < device		mly			# Mylex AcceleRAID/eXtremeRAID
 68 | < device		twa			# 3ware 9000 series PATA/SATA RAID
 69 | < device		smartpqi		# Microsemi smartpqi driver
 70 | < device		tws			# LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
 71 | <
 72 | < # RAID controllers
 73 | < device		aac			# Adaptec FSA RAID
 74 | < device		aacp			# SCSI passthrough for aac (requires CAM)
 75 | < device		aacraid			# Adaptec by PMC RAID
 76 | < device		ida			# Compaq Smart RAID
 77 | < device		mfi			# LSI MegaRAID SAS
 78 | < device		mlx			# Mylex DAC960 family
 79 | < device		mrsas			# LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
 80 | < device		pmspcv			# PMC-Sierra SAS/SATA Controller driver
 81 | < #XXX pointer/int warnings
 82 | < #device		pst			# Promise Supertrak SX6000
 83 | < device		twe			# 3ware ATA RAID
 84 | <
 85 | 180,186d123
 86 | < # atkbdc0 controls both the keyboard and the PS/2 mouse
 87 | < device		atkbdc			# AT keyboard controller
 88 | < device		atkbd			# AT keyboard
 89 | < device		psm			# PS/2 mouse
 90 | <
 91 | < device		kbdmux			# keyboard multiplexer
 92 | <
 93 | 203,211d139
 94 | < # PCCARD (PCMCIA) support
 95 | < # PCMCIA and cardbus bridge support
 96 | < device		cbb			# cardbus (yenta) bridge
 97 | < device		pccard			# PC Card (16-bit) bus
 98 | < device		cardbus			# CardBus (32-bit) bus
 99 | <
100 | < # Serial (COM) ports
101 | < device		uart			# Generic UART driver
102 | <
103 | 215d142
104 | < device		lpt			# Printer
105 | 217d143
106 | < #device		vpo			# Requires scbus and da
107 | 219d144
108 | < device		puc			# Multi I/O cards and multi-channel UARTs
109 | 224,228d148
110 | < device		ix			# Intel PRO/10GbE PCIE PF Ethernet
111 | < device		ixv			# Intel PRO/10GbE PCIE VF Ethernet
112 | < device		ixl			# Intel 700 Series Physical Function
113 | < device		iavf			# Intel Adaptive Virtual Function
114 | < device		vmx			# VMware VMXNET3 Ethernet
115 | 230,302d149
116 | < # PCI Ethernet NICs.
117 | < device		bxe			# Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
118 | < device		de			# DEC/Intel DC21x4x (``Tulip'')
119 | < device		le			# AMD Am7900 LANCE and Am79C9xx PCnet
120 | < device		ti			# Alteon Networks Tigon I/II gigabit Ethernet
121 | < device		txp			# 3Com 3cR990 (``Typhoon'')
122 | < device		vx			# 3Com 3c590, 3c595 (``Vortex'')
123 | <
124 | < # PCI Ethernet NICs that use the common MII bus controller code.
125 | < # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
126 | < device		miibus			# MII bus support
127 | < device		ae			# Attansic/Atheros L2 FastEthernet
128 | < device		age			# Attansic/Atheros L1 Gigabit Ethernet
129 | < device		alc			# Atheros AR8131/AR8132 Ethernet
130 | < device		ale			# Atheros AR8121/AR8113/AR8114 Ethernet
131 | < device		bce			# Broadcom BCM5706/BCM5708 Gigabit Ethernet
132 | < device		bfe			# Broadcom BCM440x 10/100 Ethernet
133 | < device		bge			# Broadcom BCM570xx Gigabit Ethernet
134 | < device		cas			# Sun Cassini/Cassini+ and NS DP83065 Saturn
135 | < device		dc			# DEC/Intel 21143 and various workalikes
136 | < device		et			# Agere ET1310 10/100/Gigabit Ethernet
137 | < device		fxp			# Intel EtherExpress PRO/100B (82557, 82558)
138 | < device		gem			# Sun GEM/Sun ERI/Apple GMAC
139 | < device		hme			# Sun HME (Happy Meal Ethernet)
140 | < device		jme			# JMicron JMC250 Gigabit/JMC260 Fast Ethernet
141 | < device		lge			# Level 1 LXT1001 gigabit Ethernet
142 | < device		msk			# Marvell/SysKonnect Yukon II Gigabit Ethernet
143 | < device		nfe			# nVidia nForce MCP on-board Ethernet
144 | < device		nge			# NatSemi DP83820 gigabit Ethernet
145 | < device		pcn			# AMD Am79C97x PCI 10/100 (precedence over 'le')
146 | < device		re			# RealTek 8139C+/8169/8169S/8110S
147 | < device		rl			# RealTek 8129/8139
148 | < device		sf			# Adaptec AIC-6915 (``Starfire'')
149 | < device		sge			# Silicon Integrated Systems SiS190/191
150 | < device		sis			# Silicon Integrated Systems SiS 900/SiS 7016
151 | < device		sk			# SysKonnect SK-984x & SK-982x gigabit Ethernet
152 | < device		ste			# Sundance ST201 (D-Link DFE-550TX)
153 | < device		stge			# Sundance/Tamarack TC9021 gigabit Ethernet
154 | < device		tl			# Texas Instruments ThunderLAN
155 | < device		tx			# SMC EtherPower II (83c170 ``EPIC'')
156 | < device		vge			# VIA VT612x gigabit Ethernet
157 | < device		vr			# VIA Rhine, Rhine II
158 | < device		wb			# Winbond W89C840F
159 | < device		xl			# 3Com 3c90x (``Boomerang'', ``Cyclone'')
160 | <
161 | < # Wireless NIC cards
162 | < device		wlan			# 802.11 support
163 | < options 	IEEE80211_DEBUG		# enable debug msgs
164 | < options 	IEEE80211_AMPDU_AGE	# age frames in AMPDU reorder q's
165 | < options 	IEEE80211_SUPPORT_MESH	# enable 802.11s draft support
166 | < device		wlan_wep		# 802.11 WEP support
167 | < device		wlan_ccmp		# 802.11 CCMP support
168 | < device		wlan_tkip		# 802.11 TKIP support
169 | < device		wlan_amrr		# AMRR transmit rate control algorithm
170 | < device		an			# Aironet 4500/4800 802.11 wireless NICs.
171 | < device		ath			# Atheros NICs
172 | < device		ath_pci			# Atheros pci/cardbus glue
173 | < device		ath_hal			# pci/cardbus chip support
174 | < options 	AH_SUPPORT_AR5416	# enable AR5416 tx/rx descriptors
175 | < options 	AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
176 | < options 	ATH_ENABLE_11N		# Enable 802.11n support for AR5416 and later
177 | < device		ath_rate_sample		# SampleRate tx rate control for ath
178 | < #device		bwi			# Broadcom BCM430x/BCM431x wireless NICs.
179 | < #device		bwn			# Broadcom BCM43xx wireless NICs.
180 | < device		ipw			# Intel 2100 wireless NICs.
181 | < device		iwi			# Intel 2200BG/2225BG/2915ABG wireless NICs.
182 | < device		iwn			# Intel 4965/1000/5000/6000 wireless NICs.
183 | < device		malo			# Marvell Libertas wireless NICs.
184 | < device		mwl			# Marvell 88W8363 802.11n wireless NICs.
185 | < device		ral			# Ralink Technology RT2500 wireless NICs.
186 | < device		wi			# WaveLAN/Intersil/Symbol 802.11 wireless NICs.
187 | < device		wpi			# Intel 3945ABG wireless NICs.
188 | <
189 | 330,344d176
190 | <
191 | < # Sound support
192 | < device		sound			# Generic sound driver (required)
193 | < device		snd_cmi			# CMedia CMI8338/CMI8738
194 | < device		snd_csa			# Crystal Semiconductor CS461x/428x
195 | < device		snd_emu10kx		# Creative SoundBlaster Live! and Audigy
196 | < device		snd_es137x		# Ensoniq AudioPCI ES137x
197 | < device		snd_hda			# Intel High Definition Audio
198 | < device		snd_ich			# Intel, NVidia and other ICH AC'97 Audio
199 | < device		snd_via8233		# VIA VT8233x Audio
200 | <
201 | < # MMC/SD
202 | < device		mmc			# MMC/SD bus
203 | < device		mmcsd			# MMC/SD memory card
204 | < device		sdhci			# Generic PCI SD Host Controller
205 | 


--------------------------------------------------------------------------------
/misc/vm_setup/loader.conf:
--------------------------------------------------------------------------------
1 | autoboot_delay='1'
2 | 


--------------------------------------------------------------------------------
/misc/vm_setup/make_kern.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 | cd /usr/src
3 | make -j4 buildkernel KERNCONF=CUSTOM
4 | make installkernel KERNCONF=CUSTOM
5 | 


--------------------------------------------------------------------------------
/misc/vm_setup/rc.conf:
--------------------------------------------------------------------------------
1 | hostname=""
2 | keymap="us.kbd"
3 | ifconfig_em0="DHCP"
4 | sshd_enable="YES"
5 | dumpdev="AUTO"
6 | 


--------------------------------------------------------------------------------
/misc/vm_setup/sysctl.conf:
--------------------------------------------------------------------------------
1 | kern.panic_reboot_wait_time=0
2 | vm.redzone.panic=1
3 | 


--------------------------------------------------------------------------------
/presentation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/presentation.pdf


--------------------------------------------------------------------------------
/src/README.md:
--------------------------------------------------------------------------------
1 | #### Ubuntu UFS package
2 | 
3 | * [ufsitil.deb](https://mirrors.mediatemple.net/debian-archive/debian/pool/main/u/ufsutils/)


--------------------------------------------------------------------------------
/src/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/src/__init__.py


--------------------------------------------------------------------------------
/src/ext_superblock_parser.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import argparse
  4 | import os
  5 | import pathlib
  6 | import pprint as pp
  7 | import re
  8 | import sys
  9 | from collections import OrderedDict
 10 | from ctypes import *
 11 | 
 12 | from fs_util import get_int, EXT_SB, EXT_MAGIC, SBLOCK_EXT2, MAGIC_BYTES_OFF
 13 | 
 14 | 
 15 | class EXT(Structure):
 16 |     def __init__(self, fs, fst):
 17 |         super(Structure).__init__()
 18 |         self.sb = OrderedDict()
 19 |         self.sb_expected_len = 960
 20 |         self.fs = fs
 21 |         self.fst = fst
 22 |         self.sb_locs = []
 23 |         self.sb_locs = []
 24 |         self._fields_sb = EXT_SB
 25 | 
 26 |     def _sanity_check(self):
 27 |         res_sb = 0
 28 |         for _, v in self._fields_sb:
 29 |             res_sb += sizeof(v)
 30 |         assert res_sb == self.sb_expected_len
 31 | 
 32 |     def read_superblock_in_dict(self, loc=SBLOCK_EXT2):
 33 |         with open(self.fs, "rb") as f:
 34 |             f.seek(loc)
 35 |             for field in self._fields_sb:
 36 |                 self.sb[field[0]] = f.read(sizeof(field[1]))
 37 | 
 38 |     def find_all_superblocks(self):
 39 |         self.read_superblock_in_dict()
 40 |         with open(self.fs, "rb") as f:
 41 |             f.seek(0)
 42 |             data = f.read()
 43 |             # Using uuid because the EXT2 magic is too short to yield good results
 44 |             matches = re.finditer(self.sb["e2fs_uuid"], data)
 45 |             for m in matches:
 46 |                 bytearr = bytearray()
 47 |                 sb = m.span()[0] - 104
 48 |                 bytearr.append(data[sb + MAGIC_BYTES_OFF])
 49 |                 bytearr.append(data[sb + MAGIC_BYTES_OFF + 1])
 50 |                 if bytearr == EXT_MAGIC:
 51 |                     self.sb_locs.append(sb)
 52 | 
 53 |     def find_all_cylinder_groups(self):
 54 |         self.cg_locs = []
 55 | 
 56 |     def print_superblock(self):
 57 |         tmp = OrderedDict()
 58 |         for key, value in self.sb.items():
 59 |             if key in ["e3fs_def_hash_version", "e3fs_jnl_backup_type", "e3fs_journal_uuid", "e2fs_fsmnt", "e2fs_vname"]:
 60 |                 tmp[key] = hex(get_int(value, signed=False))
 61 |             else:
 62 |                 tmp[key] = hex(get_int(value, signed=False))
 63 |         pp.pprint(tmp)
 64 | 
 65 |     def dump_superblock(self, n=SBLOCK_EXT2):
 66 |         self.read_superblock_in_dict(loc=n)
 67 |         p = str(pathlib.Path(self.fs).parent)
 68 |         c = str(pathlib.Path(self.fs).name)
 69 |         fp = os.path.join(p, f"superblock_{hex(n)}_" + c + ".dump")
 70 |         with open(fp, "wb") as f:
 71 |             for _, value in self.sb.items():
 72 |                 f.write(value)
 73 |         print(f"[+] Dumped {fp}")
 74 | 
 75 |     def dump_all_superblocks(self):
 76 |         self.find_all_superblocks()
 77 |         for i in self.sb_locs:
 78 |             self.dump_superblock(n=i)
 79 | 
 80 | 
 81 | def main():
 82 |     parser = argparse.ArgumentParser(description="EXT file system parser")
 83 |     parser.add_argument(
 84 |         "--dump", "-d", action="store_true", default=False, dest="dump", help="Dumps the first superblock to disk"
 85 |     )
 86 |     parser.add_argument(
 87 |         "--dump_all", "-da", action="store_true", default=False, dest="dump_all", help="Dumps all superblocks to disk"
 88 |     )
 89 |     parser.add_argument(
 90 |         "--print_superblock",
 91 |         "-ps",
 92 |         type=int,
 93 |         default=-1,
 94 |         dest="print_sb",
 95 |         help="Print the n-th superblock to stdout. Default: %(default)s",
 96 |     )
 97 |     parser.add_argument(
 98 |         "--find_all",
 99 |         "-fa",
100 |         action="store_true",
101 |         default=False,
102 |         dest="find_all",
103 |         help="Finds all superblock locations and prints them to stdout",
104 |     )
105 |     parser.add_argument("--file_system", "-f", required=True, type=pathlib.Path, help="UFS Filesystem")
106 | 
107 |     args = parser.parse_args()
108 | 
109 |     ext = EXT(args.file_system, "ext")
110 |     if args.dump:
111 |         ext.dump_superblock()
112 |     if args.dump_all:
113 |         ext.dump_all_superblocks()
114 |     if args.find_all:
115 |         ext.find_all_superblocks()
116 |         res = ", ".join(hex(e) for e in ext.sb_locs)
117 |         print(f"[+] Found superblock offsets: {res}")
118 |     if args.print_sb >= 0:
119 |         ext.find_all_superblocks()
120 |         ext.read_superblock_in_dict(ext.sb_locs[args.print_sb])
121 |         ext.print_superblock()
122 | 
123 | 
124 | if __name__ == "__main__":
125 |     sys.exit(main())
126 | 


--------------------------------------------------------------------------------
/src/fs_fuzzer.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import argparse
  4 | import getpass
  5 | import logging
  6 | import os
  7 | import pathlib
  8 | import re
  9 | import socket
 10 | import sys
 11 | 
 12 | import colorama as clr
 13 | import paramiko as pm
 14 | 
 15 | 
 16 | class Fuzzer:
 17 |     def __init__(self, host, fn, ft, mntpt, user_sim, port=22):
 18 |         self.host = host
 19 |         self.port = port
 20 |         self.lfile = fn[0]
 21 |         self.rfile = fn[1]
 22 |         self.fs_type = ft
 23 |         self.rshell = None
 24 |         self.vm_user = self.vm_password = "root"
 25 |         self.mount_at = mntpt
 26 |         self.user_sim = user_sim
 27 | 
 28 |     def __exit__(self):
 29 |         return 1
 30 | 
 31 |     def _get_basic_ssh_conn(self):
 32 |         self.get_vm_credentials()
 33 |         ssh_conn = pm.SSHClient()
 34 |         ssh_conn.set_missing_host_key_policy(pm.AutoAddPolicy())
 35 |         ssh_conn.connect(
 36 |             hostname=self.host,
 37 |             port=self.port,
 38 |             username=self.vm_user,
 39 |             password=self.vm_password,
 40 |             look_for_keys=False,
 41 |             allow_agent=False,
 42 |             timeout=15,
 43 |         )
 44 |         return ssh_conn
 45 | 
 46 |     def get_vm_credentials(self):
 47 |         if self.vm_user is None or self.vm_password is None:
 48 |             self.vm_user = str(input('Username for "{}": '.format(self.host)))
 49 |             self.vm_password = getpass.getpass("Password: ")
 50 |         else:
 51 |             logging.debug("Reusing stored vm credentials.")
 52 | 
 53 |     def invoke_remote_ssh_shell(self):
 54 |         ssh_conn = self._get_basic_ssh_conn()
 55 |         ssh_conn.get_transport().set_keepalive(200)
 56 |         ssh_conn.get_transport().open_session()
 57 |         ssh_conn.invoke_shell()
 58 |         self.rshell = ssh_conn
 59 |         return ssh_conn
 60 | 
 61 |     def _exec(self, cmd, to=3):
 62 |         if not self.rshell:
 63 |             logging.debug(f"new rshell for ... {cmd}")
 64 |             self.invoke_remote_ssh_shell()
 65 |         try:
 66 |             # get_pty=True combines stdout/stderr
 67 |             _, stdout, _ = self.rshell.exec_command(cmd, get_pty=True, timeout=to)
 68 |             stdout_decoded = stdout.read().decode().strip()
 69 |             if stdout_decoded != "":
 70 |                 return stdout_decoded
 71 |             else:
 72 |                 return None
 73 |         except (pm.ssh_exception.SSHException, socket.timeout, pm.ssh_exception.NoValidConnectionsError) as e:
 74 |             logging.debug("_EXEC ERROR: {}".format(e))
 75 |             return 2
 76 |         except UnicodeDecodeError:
 77 |             return 1
 78 | 
 79 |     def mkdir(self, rpath):
 80 |         return self.exec_get_return_code(f"/bin/mkdir -p {rpath}; echo $?")
 81 | 
 82 |     def rm_files(self, rpath):
 83 |         return self.exec_get_return_code(f"/bin/rm -rf {rpath}; echo $?")
 84 | 
 85 |     def vm_ls(self, rpath):
 86 |         return self._exec(f"/bin/ls -lah {rpath}")
 87 | 
 88 |     def exec_cmd_quiet(self, cmd):
 89 |         stdout = self._exec(cmd)
 90 |         return stdout
 91 | 
 92 |     def exec_cmd(self, cmd):
 93 |         stdout = self._exec(cmd)
 94 |         print("{}".format(stdout))
 95 |         return stdout
 96 | 
 97 |     def exec_get_return_code(self, cmd):
 98 |         res = str(self.exec_cmd_quiet(cmd))
 99 |         if int(res[-1]) != 0:
100 |             return False
101 |         else:
102 |             return True
103 | 
104 |     def interactive_shell(self):
105 |         print(clr.Fore.RED + 'Exit remote shell via "bye"' + clr.Fore.RESET)
106 |         while True:
107 |             command = input("$> ")
108 |             if command.strip().lower() == "bye":
109 |                 sys.exit(0)
110 |             else:
111 |                 self.exec_cmd(command)
112 | 
113 |     def cp_to_local(self, rp, lp):
114 |         ftpc = self.rshell.open_sftp()
115 |         ftpc.get(rp, lp)
116 |         ftpc.close()
117 | 
118 |     def cp_to_remote(self, lp, rp):
119 |         ftpc = self.rshell.open_sftp()
120 |         ftpc.put(lp, rp)
121 |         ftpc.close()
122 | 
123 |     def _mk_blk_dev(self):
124 |         logging.debug("CREATING BLKDEV FOR: {}".format(self.rfile))
125 |         cmd = "/sbin/mdconfig -a -t vnode -f {}".format(self.rfile)
126 |         print(cmd)
127 |         self.block_device = os.path.join("/dev", self.exec_cmd_quiet(cmd))
128 | 
129 |     def _mount(self):
130 |         self._clean_mount_dir()
131 |         self._determine_fs_type()
132 |         self._mk_blk_dev()
133 |         self._mount_ext_ufs()
134 | 
135 |     def _determine_fs_type(self):
136 |         file_output = self.exec_cmd_quiet("/usr/bin/file {}".format(self.rfile))
137 |         match = re.search(r"ext[1-4] filesystem data", file_output)
138 |         if match:
139 |             self.fs_type = match.group(0).split()[0]
140 |         elif "Unix Fast File system" in file_output:
141 |             self.fs_type = "ufs"
142 |         elif "data" in file_output:
143 |             self.fs_type = "zfs"
144 | 
145 |     def _clean_mount_dir(self):
146 |         self.rm_files(self.mount_at)
147 |         self.mkdir(self.mount_at)
148 | 
149 |     def _get_mount_switch(self):
150 |         if any(x == self.fs_type for x in ["ext2", "ext3", "ext4"]):
151 |             flag = "ext2fs"
152 |         elif self.fs_type == "ufs":
153 |             flag = "ufs"
154 |         else:
155 |             print("Malformed file system")
156 |             print('Trying mount -t "auto" ...')
157 |             flag = "auto"
158 |         return flag
159 | 
160 |     def _mount_ext_ufs(self):
161 |         cmd = '/sbin/mount -t "{}" {} {}'.format(self._get_mount_switch(), self.block_device, self.mount_at)
162 |         print(cmd)
163 |         if not self.exec_cmd_quiet(cmd):
164 |             return 1  # Success
165 |         else:
166 |             logging.debug("Mounting of {} failed".format(self.block_device))  # Failed
167 |             return 0
168 | 
169 |     def _umk_blk_dev(self):
170 |         cmd = "/sbin/mdconfig -d -u {}".format(self.block_device)
171 |         print(cmd)
172 |         return self.exec_cmd_quiet(cmd)
173 | 
174 |     def _umount(self):
175 |         return self._unmount_ext_ufs()
176 | 
177 |     def _unmount_ext_ufs(self):
178 |         cmd_mount = "/sbin/umount -f {}".format(self.mount_at)
179 |         print(cmd_mount)
180 |         if not self.exec_cmd_quiet(cmd_mount) and not self._umk_blk_dev():
181 |             return 1  # Success
182 |         else:
183 |             logging.debug("Failed to properly umount {}".format(self.mount_at))
184 |             return 0
185 | 
186 |     def _is_alive(self):
187 |         if self._exec(f"ping -c1 {self.host}", to=1) != 2:
188 |             return 1
189 |         else:
190 |             return 0
191 | 
192 |     def fuzz(self):
193 |         if self.lfile is not "" and pathlib.Path(self.lfile).exists():
194 |             self.cp_to_remote(self.lfile, self.rfile)
195 |         self._mount()
196 |         if self._is_alive():
197 |             if self.user_sim:
198 |                 self._user_interaction()
199 |             else:
200 |                 self._umount()
201 |         else:
202 |             # gotta reset vm
203 |             print("[!] Target is dead..")
204 | 
205 |     def _user_interaction(self):
206 |         # self._exec('find /mnt/HITB/')
207 |         # self._exec(
208 |         #    'mkdir -p /mnt/HITB/qNVzrx8xrw7hJ0e9sNynpSbICS5olJQmKQWNcZpX6L3foywr21FaqOWe6z6LnVxWeYUsR3PlIurBjLK5gaIoogjGoKQLNkV1e1/a/b/c')
209 |         # self._exec('cp /bin/ls /mnt/HITB/')
210 |         self._exec("/usr/bin/dirname /mnt/")
211 |         self._exec("bin/rm -rf /mnt/HITB/reFEk8zIzNNNdIHqWStDP2DXU4Em4xeIbujCvW3IoqkJFMc0VtHmZWAF3pjUGHGADqSGruv")
212 | 
213 |     def poc(self, shell=False, emul=False):
214 |         if self.lfile is not "" and pathlib.Path(self.lfile).exists():
215 |             self.cp_to_remote(self.lfile, self.rfile)
216 |         self._mount()
217 |         if self._is_alive():
218 |             if shell:
219 |                 self.interactive_shell()
220 |             elif emul:
221 |                 self._user_interaction()
222 |             self._umount()
223 |         else:
224 |             return 1
225 | 
226 | 
227 | def main():
228 |     parser = argparse.ArgumentParser(description="Fuzzer.")
229 |     parser.add_argument("--host", "-rh", type=str, help="Remote Host", default="192.168.122.232")
230 |     parser.add_argument("--port", "-p", type=int, help="Remote Port", default=22)
231 |     parser.add_argument("--file", "-f", default=[], nargs=2, help="File to copy to remote. Requires lpath and rpath")
232 |     parser.add_argument("--file_type", "-ft", type=str, help="File system type")
233 |     parser.add_argument("--remote_mount_point", "-rmp", type=str, help="Mount point on host")
234 |     parser.add_argument(
235 |         "--user_interaction", "-ui", action="store_true", help="Emulate a user interaction if mount is successful"
236 |     )
237 |     parser.add_argument("--copy_from", "-cf", nargs=2, help="remote -> local. Requires lpath and rpath")
238 |     parser.add_argument("--copy_to", "-ct", nargs=2, help="local -> remote. Requires lpath and rpath")
239 |     parser.add_argument("--poc_1", "-1", action="store_true", help="DEMO 1 - Default")
240 |     parser.add_argument("--poc_2", "-2", action="store_true", help="DEMO 2 - SB Injection 1")
241 |     parser.add_argument("--poc_3", "-3", action="store_true", help="DEMO 3 - SB Injection 2")
242 |     parser.add_argument("--poc_4", "-4", action="store_true", help="DEMO 4 - rad_ufs2_15")
243 |     parser.add_argument("--poc_5", "-5", action="store_true", help="DEMO 5 - rad_ufs2_15")
244 | 
245 |     args = parser.parse_args()
246 | 
247 |     if args.poc_1:
248 |         fuzzer = Fuzzer(host="192.168.122.232", port=22, fn=["", "/root/poc1_ufs2"], ft="ufs", mntpt="/mnt/HITB/", user_sim=None)
249 |         fuzzer.poc(shell=True)
250 |     if args.poc_2:
251 |         # inject into mnt path
252 |         fuzzer = Fuzzer(host="192.168.122.232", port=22, fn=["", "/root/poc2_ufs2"], ft="ufs", mntpt="/mnt/HITB/", user_sim=None)
253 |         fuzzer.poc(shell=True)
254 |     if args.poc_3:
255 |         # inject into magic bytes
256 |         fuzzer = Fuzzer(
257 |             host="192.168.122.232", port=22, fn=["", "/root/poc3_sb0_ufs2"], ft="ufs", mntpt="/mnt/HITB/", user_sim=None
258 |         )
259 |         fuzzer.poc(shell=True)
260 |     if args.poc_4:
261 |         # radamsa mutated mount crash
262 |         Fuzzer(host="192.168.122.232", port=22, fn=["", "/root/poc4_ufs2"], ft="ufs", mntpt="/mnt/HITB/", user_sim=None).fuzz()
263 |     if args.poc_5:
264 |         # radamsa mutated UI crash with a whole lotta weirdness
265 |         Fuzzer(host="192.168.122.232", port=22, fn=["", "/root/poc5_ufs"], ft="ufs", mntpt="/mnt/HITB/", user_sim=None).poc(
266 |             emul=True
267 |         )
268 | 
269 |     if args.copy_from:
270 |         pass
271 |     if args.copy_to:
272 |         pass
273 |     if all([args.host, args.port, args.file, args.file_type, args.remote_mount_point]):
274 |         Fuzzer(
275 |             host=args.host,
276 |             port=args.port,
277 |             fn=args.file,
278 |             ft=args.file_type,
279 |             mntpt=args.remote_mount_point,
280 |             user_sim=args.user_interaction,
281 |         ).fuzz()
282 | 
283 | 
284 | if __name__ == "__main__":
285 |     main()
286 | 


--------------------------------------------------------------------------------
/src/fs_generator.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import argparse
  3 | import json
  4 | import logging
  5 | import os
  6 | import pathlib
  7 | import platform
  8 | import random
  9 | import string
 10 | import subprocess
 11 | import sys
 12 | import uuid
 13 | from shutil import rmtree
 14 | from typing import List
 15 | 
 16 | CHARSET_EASY = string.ascii_letters + string.digits  # excluding special characters due to parsing difficulties
 17 | 
 18 | SUPPORTED_FILE_SYSTEMS = {
 19 |     "freebsd": ["ufs1", "ufs2", "zfs", "ext2", "ext3", "ext4"],
 20 |     "netbsd": ["4.3bsd", "ufs1", "ufs2", "ext2"],
 21 |     "openbsd": ["4.3bsd", "ufs1", "ufs2", "ext2"],
 22 |     "linux": ["uf1", "ufs2", "ext2", "ext3", "ext4", "zfs"],
 23 |     "darwin": ["apfs"],
 24 | }
 25 | 
 26 | 
 27 | def _mk_dir(_path: str):
 28 |     pathlib.Path(_path).mkdir(parents=True, exist_ok=True)
 29 | 
 30 | 
 31 | def _get_all_dirs(_path: str):
 32 |     return [x[0] for x in os.walk(_path)]
 33 | 
 34 | 
 35 | def _get_all_files(_path: str):
 36 |     files = []
 37 |     for (_dir, _, file_names) in os.walk(_path):
 38 |         files += [os.path.join(_dir, file) for file in file_names]
 39 |     for (_dir, dir_names, _) in os.walk(_path):
 40 |         files += [os.path.join(_dir, d) for d in dir_names]
 41 |     return files
 42 | 
 43 | 
 44 | def _get_all_data_files(_path: str):
 45 |     files = []
 46 |     for (_dir, _, file_names) in os.walk(_path):
 47 |         files += [os.path.join(_dir, file) for file in file_names]
 48 |     return files
 49 | 
 50 | 
 51 | def _chk_availability(cmd: str):
 52 |     return not subprocess.call(["which", f"{cmd}"], stdout=subprocess.DEVNULL)
 53 | 
 54 | 
 55 | class GenericFilesystemCreator:
 56 |     def __init__(self):
 57 |         self.fs_name = None
 58 |         self.fs_type = None
 59 |         self.fs_size = None
 60 |         self.n_files = None
 61 |         self.max_fsize = None
 62 |         self.mount_pt = "/mnt"
 63 |         self.save_pt = "/tmp/"
 64 |         self.path = None
 65 |         self.seed = None
 66 |         self.logger = {}
 67 |         self.mode = None
 68 |         self.rng = random.Random()  # Class bound number generator
 69 |         self.host = platform.system().lower()
 70 |         self.data = None
 71 | 
 72 |     def __setup__(self, **kwargs):
 73 |         if "fs_name" in kwargs:
 74 |             self.fs_name = kwargs["fs_name"]
 75 |         if "fs_type" in kwargs:
 76 |             self.fs_type = kwargs["fs_type"]
 77 |         if "fs_size" in kwargs:
 78 |             self.fs_size = kwargs["fs_size"]
 79 |         if "n_files" in kwargs:
 80 |             self.n_files = kwargs["n_files"]
 81 |         if "max_fsize" in kwargs:
 82 |             self.max_fsize = kwargs["max_fsize"]
 83 |         if "mount_pt" in kwargs:
 84 |             self.mount_pt = kwargs["mount_pt"]
 85 |         if "save_pt" in kwargs:
 86 |             self.save_pt = kwargs["save_pt"]
 87 |         if "mode" in kwargs:
 88 |             self.mode = kwargs["mode"]
 89 |         if "data" in kwargs:
 90 |             self.data = kwargs["data"]
 91 | 
 92 |     def mk_file_system(self):
 93 |         self._parse_opts()
 94 |         if not any(x == self.fs_type for x in SUPPORTED_FILE_SYSTEMS[self.host]):
 95 |             logging.error(f"Requested file system not supported on current host os: {self.host}")
 96 |             sys.exit(1)
 97 |         self._init_mk_fs()
 98 |         host = self._set_target()
 99 |         self._create_fs(host)
100 | 
101 |     def _set_target(self):
102 |         target = None
103 |         if self.host == "freebsd":
104 |             target = FreeBSD
105 |         elif self.host == "netbsd":
106 |             target = NetBSD
107 |         elif self.host == "openbsd":
108 |             target = OpenBSD
109 |         elif self.host == "linux":
110 |             target = Ubuntu
111 |         elif self.host == "darwin":
112 |             target = Darwin
113 |         return target(
114 |             fs=self.fs_type,
115 |             size=self.fs_size,
116 |             name=self.fs_name,
117 |             location=self.path,
118 |             mount_pt=self.mount_pt,
119 |             n_files=self.n_files,
120 |             max_fsize=self.max_fsize,
121 |             mode=self.mode,
122 |             save_pt=self.save_pt,
123 |         )
124 | 
125 |     def _create_fs(self, target):
126 |         target.mk_fs()
127 |         if self.n_files and self.max_fsize:
128 |             self._logger_setup()
129 |             self._mount(target)
130 |             self._init_fs_dummy_data()
131 |             self._populate_fs()
132 |             target.unmount_fs()
133 |             rmtree(self.mount_pt)
134 |         else:
135 |             print(f"Created empty {self.fs_type} disk: {self.path} {self.fs_name}")
136 |             if target.fs_type == "zfs":
137 |                 target.unmount_fs()
138 | 
139 |     def _mount(self, target):
140 |         if self.fs_type != "zfs":
141 |             target.mount_pt = os.path.join(self.mount_pt, self.fs_name)
142 |             self.mount_pt = target.mount_pt
143 |             logging.info("Mounting...")
144 |             target.mount_fs()
145 | 
146 |     @staticmethod
147 |     def generic_mount(flag, dev, location):
148 |         try:
149 |             subprocess.call(
150 |                 f"/sbin/mount -t {flag} {dev} {location}".split(), stdout=subprocess.DEVNULL,
151 |             )
152 |             return 1
153 |         except subprocess.CalledProcessError:
154 |             return 0
155 | 
156 |     @staticmethod
157 |     def _generic_mk_zfs(name, dev):
158 |         if not _chk_availability("zpool"):
159 |             logging.error("Could not find zfs utils.")
160 |             logging.error("Please install the appropriate tooling: e.g.: zfsutils-linux on Debian.")
161 |             sys.exit(1)
162 |         try:
163 |             subprocess.call(f"zpool create {name} {dev}".split())
164 |             subprocess.call(f"zfs set mountpoint=/mnt/{name} {name}".split())
165 |             subprocess.call(f"zfs set atime=off {name}".split())
166 |             return os.path.join("/mnt", name)
167 |         except subprocess.CalledProcessError:
168 |             logging.error("Failed in genericMakeZFS routine!")
169 |             sys.exit(1)
170 | 
171 |     def _init_mk_fs(self):
172 |         if not self.fs_name:
173 |             self._set_fs_name()
174 |         self._mk_raw_disk()
175 | 
176 |     def _mk_raw_disk(self):
177 |         self.path = os.path.join(self.save_pt, self.fs_name)
178 |         pathlib.Path(self.path).write_bytes(b"0" * self.fs_size)
179 | 
180 |     def _set_fs_name(self):
181 |         self.fs_name = "fs_" + str(uuid.uuid4())
182 | 
183 |     def _populate_fs(self):
184 |         for f_ctr in range(self.n_files):
185 |             if self.data:
186 |                 self.seed = self.data["files"][f"seed_{f_ctr}"]["seed_value"]
187 |                 self.rng.seed(self.seed)
188 |             else:
189 |                 self._set_seed()
190 |             self._set_logger_seed(f_ctr)
191 |             coin_toss = self.rng.randint(0, 7)
192 |             all_dirs = _get_all_dirs(self.mount_pt)
193 |             self._create_files(all_dirs, coin_toss, f_ctr)
194 |             self._hierarchy_sanity_check(f_ctr)
195 |         print(json.dumps(self.logger, separators=(",", ":"), indent=4))
196 | 
197 |     def _hierarchy_sanity_check(self, f_ctr):
198 |         if self.data and self.logger["files"][f"seed_{f_ctr}"]["file_name"] != self.data["files"][f"seed_{f_ctr}"]["file_name"]:
199 |             self._shpr_hierarchy_verification(f_ctr)
200 | 
201 |     def _shpr_hierarchy_verification(self, fctr):
202 |         print("[!] Error reproducing same data hierarchy!!\n\n")
203 |         print(f"During seed {fctr}")
204 |         _expected = self.data["files"][f"seed_{fctr}"]["file_name"]
205 |         _actual = self.logger["files"][f"seed_{fctr}"]["file_name"]
206 |         print(f"Expected: {_expected}")
207 |         print(f"Got: {_actual}")
208 | 
209 |     def _create_files(self, all_dirs, coin_toss, fctr):
210 |         if coin_toss in range(0, 4):
211 |             self._create_data_file(self._get_new_rndm_file_path(all_dirs), fctr)
212 |         if coin_toss in range(4, 6):
213 |             self._create_dir(self._get_new_rndm_file_path(all_dirs), fctr)
214 |         if coin_toss == 6:
215 |             all_files = _get_all_files(self.mount_pt)
216 |             self._create_new_link(all_files, all_dirs, fctr, "SYM_LINK")
217 |         if coin_toss == 7:
218 |             all_data_files = _get_all_data_files(self.mount_pt)
219 |             self._create_new_link(all_data_files, all_dirs, fctr, "HARD_LINK")
220 | 
221 |     def _logger_setup(self):
222 |         self.logger["fs_name"] = self.fs_name
223 |         self.logger["fs_type"] = self.fs_type
224 |         self.logger["save_at"] = self.save_pt
225 |         self.logger["fs_size (MB)"] = str(int(self.fs_size) >> 20)
226 |         self.logger["amount_files"] = self.n_files
227 |         self.logger["max_file_size (MB)"] = str(int(self.max_fsize) >> 20)
228 |         self.logger["files"] = {}
229 |         self.logger["files"]["init_files"] = {}
230 | 
231 |     def _get_rndm_str(self, size: int, chars=CHARSET_EASY):
232 |         self.rng.seed(self.seed)
233 |         generated_string = "".join(self.rng.choice(chars) for x in range(size))
234 |         return generated_string
235 | 
236 |     def _get_rndm_path_from_lst(self, dirs: List, ignore_system_dirs=False):
237 |         self.rng.seed(self.seed)
238 |         rndm_idx = self.rng.randint(0, len(dirs) - 1)
239 |         if ignore_system_dirs:
240 |             if dirs[rndm_idx] not in [
241 |                 os.path.join(self.mount_pt, "lost+found"),
242 |                 os.path.join(self.mount_pt, ".snap"),
243 |             ]:
244 |                 return dirs[rndm_idx]
245 |             else:
246 |                 logging.debug("lost+found or .snap reached, recalling method...")
247 |                 return self._get_rndm_path_from_lst(dirs)
248 |         else:
249 |             return dirs[rndm_idx]
250 | 
251 |     def _get_new_rndm_file_path(self, dirs: List):
252 |         self.rng.seed(self.seed)
253 |         return os.path.join(self._get_rndm_path_from_lst(dirs), self._get_rndm_fname())
254 | 
255 |     def _get_rndm_fname(self):
256 |         n_len = self.rng.randint(1, 255)
257 |         return self._get_rndm_str(size=n_len)
258 | 
259 |     def _create_new_link(self, files: List, dirs: List, ctr: int, ftype: str):
260 |         try:
261 |             src = self.rng.choice(files)
262 |             dst = self._get_new_rndm_file_path(dirs)
263 |             if ftype == "SYM_LINK":
264 |                 self._create_symlink(src, dst)
265 |             if ftype == "HARD_LINK":
266 |                 self._create_hardlink(src, dst)
267 |             self._set_logger_generic(ctr, dst)
268 |             self._set_logger_specific(ctr, ftype=ftype, src=str(src))
269 |         except OSError:
270 |             pass
271 | 
272 |     @staticmethod
273 |     def _create_hardlink(src: str, dst: str):
274 |         os.link(src, dst)
275 | 
276 |     @staticmethod
277 |     def _create_symlink(src: str, dst: str):
278 |         os.symlink(src, dst)
279 | 
280 |     def _create_data_file(self, location: str, ctr: int):
281 |         try:
282 |             fsize = self.rng.randrange(0.25 * self.max_fsize, self.max_fsize, 50)
283 |             self._set_logger_generic(ctr, location)
284 |             self._set_logger_specific(ctr, ftype="FILE", fsize=fsize)
285 |             pathlib.Path(location).write_bytes(os.urandom(fsize))
286 |         except OSError:
287 |             pass
288 | 
289 |     def _create_dir(self, dpath: str, ctr: int):
290 |         if not os.path.exists(dpath):
291 |             try:
292 |                 _mk_dir(dpath)
293 |                 self._set_logger_specific(ctr, ftype="DIR")
294 |                 self._set_logger_generic(ctr, dpath)
295 |             except (OSError, BlockingIOError):
296 |                 self._create_dir(dpath[-3], ctr)
297 | 
298 |     def _set_logger_generic(self, ctr: int, _path: str):
299 |         self.logger["files"][f"seed_{ctr}"]["file_name"] = str(pathlib.Path(_path).name)
300 |         self.logger["files"][f"seed_{ctr}"]["file_path"] = str(pathlib.Path(_path).parent)
301 |         self.logger["files"][f"seed_{ctr}"]["full_path"] = str(_path)
302 | 
303 |     def _set_logger_specific(self, ctr: int, ftype=None, src=None, fsize=None):
304 |         if ftype:
305 |             self.logger["files"][f"seed_{ctr}"]["file_type"] = ftype
306 |         if src:
307 |             self.logger["files"][f"seed_{ctr}"]["source"] = src
308 |         if fsize:
309 |             self.logger["files"][f"seed_{ctr}"]["file_size"] = fsize
310 | 
311 |     def _set_seed(self):
312 |         if self.mode:
313 |             self.seed = self.rng.getrandbits(random.randint(1, 1024))
314 |         else:
315 |             self.seed = None
316 |         self.rng.seed(self.seed)
317 | 
318 |     def _set_logger_seed(self, f_ctr: int):
319 |         self.logger["files"][f"seed_{f_ctr}"] = {}
320 |         self.logger["files"][f"seed_{f_ctr}"]["seed_value"] = self.seed
321 | 
322 |     def _init_fs_dummy_data(self):
323 |         for i, v in list(enumerate(["FILE", "SYM_LINK", "DIR"])):
324 |             if self.data:
325 |                 self.seed = self.data["files"]["init_files"][f"init_{i}"]["seed"]
326 |                 self.rng.seed(self.seed)
327 |             else:
328 |                 self._set_seed()
329 |             _name = self._get_rndm_fname()
330 |             _path = os.path.join(self.mount_pt, _name)
331 |             if "FILE" in v:
332 |                 _touch_fn = _name
333 |                 pathlib.Path(_path).touch()
334 |             elif "SYM_LINK" in v:
335 |                 lnk_path = os.path.join(self.mount_pt, _name)
336 |                 os.symlink(os.path.join(self.mount_pt, _touch_fn), lnk_path)
337 |             else:
338 |                 pathlib.Path(_path).mkdir(parents=True, exist_ok=True)
339 |             self._set_logger_dummy_data(_name, _path, i, v)
340 |             if self.data:
341 |                 if _name != self.data["files"]["init_files"][f"init_{i}"]["name"]:
342 |                     self._shpr_dummy_sanity_check(i)
343 | 
344 |     def _shpr_dummy_sanity_check(self, ctr: int):
345 |         _data = self.data["files"]["init_files"][f"init_{ctr}"]["file_type"]
346 |         print(f"[!] Name mismatching for {_data}")
347 |         _expected = self.data["files"]["init_files"][f"init_{ctr}"]["name"]
348 |         _actual = self.logger["files"]["init_files"][f"init_{ctr}"]["name"]
349 |         print(f" Expected: {_expected}")
350 |         print(f" Got: {_actual}")
351 |         sys.exit(1)
352 | 
353 |     def _set_logger_dummy_data(self, name: str, _path: str, i: int, ftype: str):
354 |         self.logger["files"]["init_files"][f"init_{i}"] = {}
355 |         self.logger["files"]["init_files"][f"init_{i}"]["seed"] = self.seed
356 |         self.logger["files"]["init_files"][f"init_{i}"]["file_type"] = ftype
357 |         self.logger["files"]["init_files"][f"init_{i}"]["name"] = name
358 |         self.logger["files"]["init_files"][f"init_{i}"]["path"] = self.mount_pt
359 |         self.logger["files"]["init_files"][f"init_{i}"]["full_path"] = _path
360 |         if ftype is "SYM_LINK":
361 |             self.logger["files"]["init_files"][f"init_{i}"]["source"] = self.logger["files"]["init_files"]["init_0"]["full_path"]
362 | 
363 |     def _parse_opts(self):
364 |         log_data = None
365 |         parser = argparse.ArgumentParser()
366 |         parser.add_argument(
367 |             "-fs", "--filesystem", type=str, help="ext2, ext3, ext4, ufs1, ufs2, zfs, apfs",
368 |         )
369 |         parser.add_argument(
370 |             "-s",
371 |             "--size",
372 |             type=int,
373 |             default=10,
374 |             help="Specify the size in MB of the newly created file system, (default: %(default)s)",
375 |         )
376 |         parser.add_argument(
377 |             "-n", "--name", type=str, help="custom name you want to give the file system",
378 |         )
379 |         parser.add_argument(
380 |             "-o",
381 |             "--output_dir",
382 |             type=str,
383 |             default="/tmp/",
384 |             help="Path to store the newly created file system, (default: %(default)s)",
385 |         )
386 |         parser.add_argument(
387 |             "-p", "--populate", type=int, help="Number of files/directories that will be created on the fresh file system",
388 |         )
389 |         parser.add_argument(
390 |             "-ps", "--populate_size", type=int, help="Max file size limit in KB for -p option",
391 |         )
392 |         parser.add_argument(
393 |             "-mnt",
394 |             "--mount",
395 |             type=str,
396 |             default="/mnt/",
397 |             help="path to mount the filesystem for populating it, (default %(default)s)",
398 |         )
399 |         parser.add_argument(
400 |             "-m",
401 |             "--mode",
402 |             type=int,
403 |             default=1,
404 |             help="1 for determinism, or 0 for random (does not use seeds and does no logging), " "(default: %(default)s)",
405 |         )
406 |         parser.add_argument(
407 |             "-shp",
408 |             "--shaper",
409 |             action="append",
410 |             nargs=2,
411 |             help="Requires a valid json log file from the file system creation process and "
412 |             "the desired new file system size to reshape the create a new file system "
413 |             "with the same layout but of the new size!",
414 |         )
415 |         args = parser.parse_args()
416 |         if args.shaper:
417 |             log_data = json.loads(pathlib.Path(args.shaper[0][0]).read_text())
418 |             args.name = f"SHP_{args.shaper[0][1]}__" + log_data["fs_name"]
419 |             args.filesystem = str(log_data["fs_type"])
420 |             args.size = int(args.shaper[0][1])
421 |             args.populate = int(log_data["amount_files"])
422 |             args.populate_size = int(log_data["max_file_size (MB)"]) << 10
423 |             args.mode = 1
424 |             args.output_dir = str(log_data["save_at"])
425 |         if not args.size or not args.filesystem:
426 |             parser.print_help()
427 |             sys.exit(1)
428 |         if args.size < 64 and args.filesystem == "zfs":
429 |             parser.error("ZFS needs at least 64MB of disk size")
430 |             sys.exit(1)
431 |         elif args.size < 2 and args.filesystem == "ext3":
432 |             parser.error("EXT3 needs at least 2MB of disk size")
433 |             sys.exit(1)
434 |         if (args.populate and not args.populate_size) or (args.populate_size and not args.populate):
435 |             parser.error("-p and -ps depend on each other. Set both or neither of them!")
436 |             sys.exit(1)
437 |         elif args.populate_size and args.populate:
438 |             args.populate_size = args.populate_size << 10  # shift bytes into Megabytes
439 |         args.size = args.size << 20
440 |         if args.populate and args.populate_size and (args.populate * args.populate_size > args.size):
441 |             parser.error("New file system does not hold enough free space to write all requested files!")
442 |             sys.exit(1)
443 |         if args.output_dir:
444 |             _mk_dir(args.output_dir)
445 |         else:
446 |             _mk_dir(self.save_pt)
447 |         if args.mount:
448 |             _mk_dir(args.mount)
449 |         else:
450 |             _mk_dir(self.mount_pt)
451 |         if args.mode is 1:
452 |             self.mode = 1
453 |         else:
454 |             self.mode = 0
455 | 
456 |         self.__setup__(
457 |             fs_name=args.name,
458 |             fs_type=str(args.filesystem).lower(),
459 |             fs_size=args.size,
460 |             n_files=args.populate,
461 |             max_fsize=args.populate_size,
462 |             mode=args.mode,
463 |             save_pt=args.output_dir,
464 |             data=log_data,
465 |         )
466 | 
467 | 
468 | #######################################################################################################################
469 | # DARTWIN SPECIFIC FILE SYSTEM CREATION STEPS                                                                          #
470 | #######################################################################################################################
471 | 
472 | 
473 | class Darwin(GenericFilesystemCreator):
474 |     def __init__(self, fs, size, name, location, mount_pt, n_files, max_fsize, mode, save_pt):
475 |         super(Darwin, self).__init__()
476 |         self.fs_type = fs
477 |         self.fs_size = size
478 |         self.fs_name = name
479 |         self.path = location
480 |         self.dev = None
481 |         self.mount_pt = mount_pt
482 |         self.n_files = n_files
483 |         self.max_fsize = max_fsize
484 |         self.mode = mode
485 |         self.save_pt = save_pt
486 | 
487 |     def _attach_disk(self):
488 |         hdiutil_out = subprocess.check_output(
489 |             f"/usr/bin/hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount {self.path}".split(), encoding="utf-8",
490 |         ).strip()
491 |         self.dev = hdiutil_out.split()[-2].strip()  # needs better sanity checks
492 |         logging.debug(f"block device {self.dev} created")
493 |         return self.dev
494 | 
495 |     def _detach_disk(self):
496 |         subprocess.call(f"/usr/bin/hdiutil detach {self.dev}".split(), stdout=subprocess.DEVNULL)
497 | 
498 |     def mk_fs(self):
499 |         if self.fs_type == "apfs":
500 |             self._mk_apfs()
501 |             self._attach_disk()
502 |         logging.debug(f"{self.fs_name} was created successfully")
503 | 
504 |     def _mk_apfs(self):
505 |         subprocess.call(f"/sbin/newfs_{self.fs_type} -v {self.fs_name} {self.path}".split())
506 | 
507 |     def mount_fs(self):
508 |         _mk_dir(self.mount_pt)
509 |         try:
510 |             subprocess.call(
511 |                 f"/sbin/mount_{self.fs_type} {self.dev} {self.mount_pt}".split(), stdout=subprocess.DEVNULL,
512 |             )
513 |         except subprocess.CalledProcessError:
514 |             logging.error(f"Failed to mount {self.fs_name} during populating phase")
515 |             sys.exit(1)
516 |         except RuntimeError as e:
517 |             logging.error(e)
518 |             sys.exit(1)
519 |         finally:
520 |             self._detach_disk()
521 | 
522 |     def unmount_fs(self):
523 |         if self.fs_type == "apfs":
524 |             self._unmount_apfs()
525 | 
526 |     def _unmount_apfs(self):
527 |         try:
528 |             subprocess.call(f"/sbin/umount {self.dev}".split(), stdout=subprocess.DEVNULL)
529 |         except RuntimeError as e:
530 |             logging.error(e)
531 |         finally:
532 |             self._detach_disk()
533 | 
534 | 
535 | #######################################################################################################################
536 | # UBUNTU SPECIFIC FILE SYSTEM CREATION STEPS                                                                          #
537 | #######################################################################################################################
538 | 
539 | 
540 | class Ubuntu(GenericFilesystemCreator):
541 |     def __init__(self, fs, size, name, location, mount_pt, n_files, max_fsize, mode, save_pt):
542 |         super(Ubuntu, self).__init__()
543 |         self.fs_type = fs
544 |         self.fs_size = size
545 |         self.fs_name = name
546 |         self.path = location
547 |         self.dev = None
548 |         self.mount_pt = mount_pt
549 |         self.n_files = n_files
550 |         self.max_fsize = max_fsize
551 |         self.mode = mode
552 |         self.save_pt = save_pt
553 | 
554 |     def _mk_blk_dev(self):
555 |         self.dev = subprocess.check_output("losetup -f".split(), encoding="utf-8").strip()
556 |         subprocess.check_output(f"losetup {self.dev} {self.path}".split(), encoding="utf-8").strip()
557 |         logging.debug(f"block device {self.dev} created")
558 |         return self.dev
559 | 
560 |     def _unmk_blk_dev(self):
561 |         subprocess.call(f"losetup -d {self.dev}".split(), stdout=subprocess.DEVNULL)
562 | 
563 |     def mk_fs(self):
564 |         self._mk_blk_dev()
565 |         if self.fs_type in ["ufs1", "ufs2"]:
566 |             self._mk_ufs()
567 |         if self.fs_type in ["ext2", "ext3", "ext4"]:
568 |             self._mk_ext()
569 |         if self.fs_type == "zfs":
570 |             self._mk_zfs()
571 |         logging.debug(f"{self.fs_name} was created successfully")
572 | 
573 |     def _mk_ufs(self):
574 |         if not _chk_availability("mkfs.ufs"):
575 |             logging.error("Could not find mkfs.ufs")
576 |             logging.error(
577 |                 "Please install legacy package from:"
578 |                 "\thttps://mirrors.mediatemple.net/debian-archive/debian/pool/main/u/ufsutils/ufsutils_8.2-3_amd64.deb"
579 |             )
580 |             sys.exit(1)
581 |         if self.fs_type == "ufs1":
582 |             flag = 1
583 |         else:
584 |             flag = 2
585 |         # -b and -f flags ensure the same default result compared to FreeBSD
586 |         cmd = f"/sbin/mkfs.ufs -O {flag} -b 32768 -f 4096 {self.dev}"
587 |         subprocess.call(cmd.split(), close_fds=True, stdout=subprocess.DEVNULL)
588 |         print(
589 |             f"[*] The Ubuntu kernel has by default no write permissions for UFS.\n\tEmpty file system '{self.fs_name}' created."
590 |         )
591 |         sys.exit(0)
592 | 
593 |     def _mk_ext(self):
594 |         subprocess.call(
595 |             f"/sbin/mkfs.{self.fs_type} -v {self.path}".split(), stdout=subprocess.DEVNULL,
596 |         )
597 | 
598 |     def _mk_zfs(self):
599 |         self.fs_name = "pool_" + self.fs_name
600 |         GenericFilesystemCreator.mountAt = GenericFilesystemCreator._generic_mk_zfs(self.fs_name, self.dev)
601 | 
602 |     def mount_fs(self):
603 |         _mk_dir(self.mount_pt)
604 |         try:
605 |             subprocess.call(
606 |                 f"/bin/mount -t {self.fs_type} {self.dev} {self.mount_pt}".split(), stdout=subprocess.DEVNULL,
607 |             )
608 |         except subprocess.CalledProcessError:
609 |             logging.error(f"Failed to mount {self.fs_name} during populating phase")
610 |             self._unmk_blk_dev()
611 |             sys.exit(1)
612 |         except RuntimeError as e:
613 |             logging.error(e)
614 |             self._unmk_blk_dev()
615 |             sys.exit(1)
616 | 
617 |     def unmount_fs(self):
618 |         if self.fs_type in ["ext2", "ext3", "ext4"]:
619 |             self._unmount_ext()
620 |         if self.fs_type == "zfs":
621 |             self._unmount_zfs()
622 | 
623 |     def _unmount_ext(self):
624 |         try:
625 |             subprocess.call(f"/bin/umount {self.dev}".split(), stdout=subprocess.DEVNULL)
626 |         except RuntimeError as e:
627 |             logging.error(e)
628 |         finally:
629 |             self._unmk_blk_dev()
630 | 
631 |     def _unmount_zfs(self):
632 |         cmd_export_pool = "zpool export {}".format(self.fs_name)
633 |         try:
634 |             subprocess.call(cmd_export_pool.split(), stdout=subprocess.DEVNULL)
635 |             self._unmk_blk_dev()
636 |         except RuntimeError as e:
637 |             logging.warning(e)
638 |             sys.exit(1)
639 | 
640 | 
641 | #######################################################################################################################
642 | # FreeBSD SPECIFIC FILE SYSTEM CREATION STEPS                                                                         #
643 | #######################################################################################################################
644 | 
645 | 
646 | class FreeBSD(GenericFilesystemCreator):
647 |     def __init__(
648 |         self, fs, size, name, location, mount_pt, n_files, max_fsize, mode, save_pt, log_data=None,
649 |     ):
650 |         super(FreeBSD, self).__init__()
651 |         self.fs_type = fs
652 |         self.fs_size = size
653 |         self.fs_name = name
654 |         self.path = location
655 |         self.dev = None
656 |         self.mount_pt = mount_pt
657 |         self.n_files = n_files
658 |         self.max_fsize = max_fsize
659 |         self.mode = mode
660 |         self.save_pt = save_pt
661 |         self.data = log_data
662 | 
663 |     def _mk_blk_dev(self):
664 |         dev = subprocess.check_output(f"/sbin/mdconfig -a -t vnode -f {self.path}".split(), encoding="utf-8").strip()
665 |         self.dev = os.path.join("/dev", dev)
666 |         logging.debug(f"block device {self.dev} created")
667 |         return self.dev
668 | 
669 |     def _unmk_blk_dev(self):
670 |         subprocess.call(f"/sbin/mdconfig -d -u {self.dev}".split(), stdout=subprocess.DEVNULL)
671 | 
672 |     def mk_fs(self):
673 |         self._mk_blk_dev()
674 |         if self.fs_type in ["ext2", "ext3", "ext4"]:
675 |             self._mk_ext()
676 |         if self.fs_type == "zfs":
677 |             self._mk_zfs()
678 |         if self.fs_type in ["4.3bsd", "ufs1", "ufs2"]:
679 |             self._mk_ufs()
680 |         logging.debug(f"{self.fs_name} was created successfully")
681 | 
682 |     def _mk_ufs(self):
683 |         if self.fs_type == "ufs1":
684 |             cmd = f"/sbin/newfs -O 1 {self.dev}"
685 |         else:
686 |             cmd = f"/sbin/newfs {self.dev}"
687 |         subprocess.call(cmd.split(), close_fds=True, stdout=subprocess.DEVNULL)
688 | 
689 |     def _mk_ext(self):
690 |         subprocess.call(
691 |             f"/usr/local/sbin/mkfs.{self.fs_type} -v {self.path}".split(), stdout=subprocess.DEVNULL,
692 |         )
693 | 
694 |     def _mk_zfs(self):
695 |         self.fs_name = "pool_" + self.fs_name
696 |         GenericFilesystemCreator.mountAt = GenericFilesystemCreator._generic_mk_zfs(self.fs_name, self.dev)
697 | 
698 |     def mount_fs(self):
699 |         _mk_dir(self.mount_pt)
700 |         flag = ""
701 |         if self.fs_type in ["ext2", "ext3", "ext4"]:
702 |             flag = "ext2fs"
703 |         elif "ufs" in self.fs_type:
704 |             flag = "ufs"
705 |         if not GenericFilesystemCreator.generic_mount(flag, self.dev, self.mount_pt):
706 |             self._unmk_blk_dev()
707 |             logging.error(f"Failed to mount {self.fs_name} during populating phase")
708 |             sys.exit(1)
709 | 
710 |     def unmount_fs(self):
711 |         if self.fs_type in ["ext2", "ext3", "ext4", "ufs1", "ufs2"]:
712 |             self._unmount_ext_ufs()
713 |         if self.fs_type == "zfs":
714 |             self._unmount_zfs()
715 | 
716 |     def _unmount_ext_ufs(self):
717 |         try:
718 |             subprocess.call(f"/sbin/umount {self.dev}".split(), stdout=subprocess.DEVNULL)
719 |         except RuntimeError as e:
720 |             logging.error(e)
721 |         finally:
722 |             self._unmk_blk_dev()
723 | 
724 |     def _unmount_zfs(self):
725 |         cmd_export_pool = "zpool export {}".format(self.fs_name)
726 |         try:
727 |             subprocess.call(cmd_export_pool.split(), stdout=subprocess.DEVNULL)
728 |             self._unmk_blk_dev()
729 |         except RuntimeError as e:
730 |             logging.warning(e)
731 |             sys.exit(1)
732 | 
733 | 
734 | #######################################################################################################################
735 | # OpenBSD SPECIFIC FILE SYSTEM CREATION STEPS                                                                         #
736 | #######################################################################################################################
737 | 
738 | 
739 | class OpenBSD:
740 |     def __init__(self, fs, size, name, location, mount_pt, n_files, max_fsize, mode, save_pt):
741 |         super(OpenBSD, self).__init__()
742 |         self.fs_type = fs
743 |         self.fs_size = size
744 |         self.fs_name = name
745 |         self.path = location
746 |         self.dev = None
747 |         self.mount_pt = mount_pt
748 |         self.n_files = n_files
749 |         self.max_fsize = max_fsize
750 |         self.mode = mode
751 |         self.save_pt = save_pt
752 | 
753 |     def _mk_blk_dev(self):
754 |         subprocess.check_output(f"/sbin/vnconfig vnd0 {self.path}".split(), stderr=subprocess.STDOUT, encoding="utf-8",).strip()
755 |         self.dev = (
756 |             subprocess.check_output("/sbin/disklabel -A vnd0", stderr=subprocess.STDOUT, encoding="utf-8").split()[1][:-1].strip()
757 |         )
758 |         logging.debug(f"block device {self.dev} created")
759 |         return self.dev
760 | 
761 |     def _unmk_blk_dev(self):
762 |         subprocess.call(
763 |             f'/sbin/vnconfig -u {self.dev.split("/")[-1]}'.split(), stdout=subprocess.DEVNULL,
764 |         )
765 | 
766 |     def mk_fs(self):
767 |         self._mk_blk_dev()
768 |         if self.fs_type == "ext2":
769 |             self._mk_ext()
770 |         if self.fs_type in ["4.3bsd", "ufs1", "ufs2"]:
771 |             self._mk_ufs()
772 |         logging.debug(f"{self.fs_name} was created successfully")
773 | 
774 |     def _mk_ufs(self):
775 |         if self.fs_type == "4.3bsd":
776 |             cmd = f"/sbin/newfs -O 0 {self.dev}"
777 |         elif self.fs_type == "ufs1":
778 |             cmd = f"/sbin/newfs -O 1 {self.dev}"
779 |         else:
780 |             cmd = f"/sbin/newfs -O 2 {self.dev}"
781 |         subprocess.call(cmd.split(), stdout=subprocess.DEVNULL)
782 | 
783 |     def _mk_ext(self):
784 |         subprocess.call(f"/sbin/newfs_ext2fs -I {self.dev}".split(), stdout=subprocess.DEVNULL)
785 | 
786 |     def mount_fs(self):
787 |         _mk_dir(self.mount_pt)
788 |         flag = ""
789 |         if self.fs_type == "ext2":
790 |             flag = "ext2fs"
791 |         if self.fs_type in ["ufs", "4.3bsd"]:
792 |             flag = "ffs"
793 |         if not GenericFilesystemCreator.generic_mount(flag, self.dev, self.mount_pt):
794 |             self._unmk_blk_dev()
795 |             logging.error(f"Failed to mount {self.fs_name} during populating phase")
796 |             sys.exit(1)
797 | 
798 |     def unmount_fs(self):
799 |         self._unmount_ext_ufs()
800 | 
801 |     def _unmount_ext_ufs(self):
802 |         try:
803 |             subprocess.call(f"/bin/umount {self.dev}".split(), stdout=subprocess.DEVNULL)
804 |         except RuntimeError as e:
805 |             logging.error(e)
806 |         finally:
807 |             self._unmk_blk_dev()
808 | 
809 | 
810 | #######################################################################################################################
811 | # NetBSD SPECIFIC FILE SYSTEM CREATION STEPS                                                                          #
812 | #######################################################################################################################
813 | 
814 | 
815 | class NetBSD:
816 |     def __init__(self, fs, size, name, location, mount_pt, n_files, max_fsize, mode, save_pt):
817 |         super(NetBSD, self).__init__()
818 |         self.fs_type = fs
819 |         self.fs_size = size
820 |         self.fs_name = name
821 |         self.path = location
822 |         self.dev = None
823 |         self.mount_pt = mount_pt
824 |         self.n_files = n_files
825 |         self.max_fsize = max_fsize
826 |         self.mode = mode
827 |         self.save_pt = save_pt
828 | 
829 |     def _mk_blk_dev(self):
830 |         _ = subprocess.check_output(f"/usr/sbin/vndconfig vnd0 {self.path}".split(), encoding="utf-8").strip()
831 |         self.dev = "/dev/vnd0"
832 |         subprocess.call(f"/sbin/disklabel {self.dev}".split(), stdout=subprocess.DEVNULL)
833 |         self.dev = "/dev/rvnd0"
834 |         logging.debug(f"block device {self.dev} created")
835 |         return self.dev
836 | 
837 |     def _unmk_blk_dev(self):
838 |         subprocess.call(
839 |             f'/usr/sbin/vndconfig -u {self.dev.split("/")[-1]}'.split(), stdout=subprocess.DEVNULL,
840 |         )
841 | 
842 |     def mk_fs(self):
843 |         self._mk_blk_dev()
844 |         if self.fs_type in ["ext2", "ext3", "ext4"]:
845 |             self._mk_ext()
846 |         if self.fs_type in ["4.3bsd", "ufs1", "ufs2"]:
847 |             self._mk_ufs()
848 |         logging.debug(f"{self.fs_name} was created successfully")
849 | 
850 |     def _mk_ufs(self):
851 |         if self.fs_type == "4.3bsd":
852 |             cmd = f"/sbin/newfs -O 0 {self.dev}"
853 |         elif self.fs_type == "ufs1":
854 |             cmd = f"/sbin/newfs -O 1 {self.dev}"
855 |         else:
856 |             cmd = f"/sbin/newfs -O 2 {self.dev}"
857 |         subprocess.call(cmd.split(), stdout=subprocess.DEVNULL)
858 | 
859 |     def _mk_ext(self):
860 |         subprocess.call(f"/sbin/newfs_ext2fs {self.dev}".split(), stdout=subprocess.DEVNULL)
861 | 
862 |     def mount_fs(self):
863 |         _mk_dir(self.mount_pt)
864 |         flag = ""
865 |         self.dev = self.dev.translate({ord(c): None for c in "r"})
866 |         if self.fs_type == "ext2":
867 |             flag = "ext2fs"
868 |         if self.fs_type in ["ufs", "4.3bsd"]:
869 |             flag = "ufs"
870 |         if not GenericFilesystemCreator.generic_mount(flag, self.dev, self.mount_pt):
871 |             self._unmk_blk_dev()
872 |             logging.error(f"Failed to mount {self.fs_name} during populating phase")
873 |             sys.exit(1)
874 | 
875 |     def unmount_fs(self):
876 |         self._unmount_ext_ufs()
877 | 
878 |     def _unmount_ext_ufs(self):
879 |         try:
880 |             subprocess.call(f"/bin/umount {self.dev}".split(), stdout=subprocess.DEVNULL)
881 |         except RuntimeError as e:
882 |             logging.error(e)
883 |         finally:
884 |             self._unmk_blk_dev()
885 | 
886 | 
887 | def main():
888 |     if os.geteuid() != 0:
889 |         print("[!] Script needs to be run as root!")
890 |         sys.exit(1)
891 |     logging.basicConfig(level="ERROR")
892 |     return GenericFilesystemCreator().mk_file_system()
893 | 
894 | 
895 | if __name__ == "__main__":
896 |     main()
897 | 


--------------------------------------------------------------------------------
/src/fs_mutator.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import argparse
  4 | import pathlib
  5 | import secrets
  6 | import subprocess
  7 | import sys
  8 | from ctypes import sizeof
  9 | 
 10 | from ext_superblock_parser import EXT
 11 | from fs_util import get_magic_offsets, restore_magic_bytes, UFS_SB, EXT_SB, UFS_CG, SBLOCK_EXT2, MAGIC_BYTES_OFF
 12 | from ufs_superblock_parser import UFS
 13 | 
 14 | 
 15 | class Mutator:
 16 |     def __init__(self, fs, fst, mutation, out, radamsa=False, restore=False, deter=False, target=None):
 17 |         if target is None:
 18 |             target = []
 19 |         self.fs = fs
 20 |         self.fs_obj = fst
 21 |         # self.mutation = mutation
 22 |         if mutation:
 23 |             self.mutation_section = mutation[0]
 24 |             self.mutation_size = mutation[1]
 25 |             self.mutation_value = mutation[2]
 26 |             self.mutation_pos = mutation[3]
 27 |         self.outfile = out
 28 |         # self.mutation_type = mtype
 29 |         self.restore = restore
 30 |         self.determinism = deter
 31 |         self.radamsa = radamsa
 32 |         self.radamsa_seed = None
 33 |         self.target = target
 34 | 
 35 |     @staticmethod
 36 |     def _make_zero(size):
 37 |         return b"\x00" * size
 38 | 
 39 |     @staticmethod
 40 |     def _make_ff(size):
 41 |         return b"\xFF" * size
 42 | 
 43 |     @staticmethod
 44 |     def _rnd(size):
 45 |         return secrets.token_bytes(size)
 46 | 
 47 |     def _rnd_radamsa(self):
 48 |         if self.determinism:
 49 |             self.radamsa_seed = secrets.randbits(100)
 50 |             print(f"[+] Used radamsa seed: {self.radamsa_seed}.")
 51 |             cmd = f"radamsa {self.fs} -s {self.radamsa_seed} > {self.outfile}"
 52 |         else:
 53 |             cmd = f"radamsa {self.fs} > {self.outfile}"
 54 |         subprocess.check_output(cmd, shell=True)
 55 | 
 56 |     @staticmethod
 57 |     def _get_offset_in_sb(fn, mime="ufs"):
 58 |         off = 0
 59 |         for i, v in UFS_SB if mime == "ufs" else EXT_SB:
 60 |             if i == fn:
 61 |                 return off, sizeof(v)
 62 |             off += sizeof(v)
 63 |         return None, None
 64 | 
 65 |     @staticmethod
 66 |     def _get_offset_in_ufs_cg(fn):
 67 |         off = 0
 68 |         for i, v in UFS_CG:
 69 |             if i == fn:
 70 |                 return off, sizeof(v)
 71 |             off += sizeof(v)
 72 |         return None, None
 73 | 
 74 |     def targeted_mutation(self):
 75 |         with open(self.fs, "rb") as f:
 76 |             data = bytearray(f.read())
 77 |         if self.target[0].lower() == "sb":
 78 |             block_offs = self.fs_obj.find_all_superblocks()
 79 |         elif self.target[0].lower() == "cg":
 80 |             block_offs = self.fs_obj.find_all_cylinder_groups()
 81 |         else:
 82 |             print("[!] Unknown target.")
 83 |             sys.exit(-1)
 84 | 
 85 |         if self.target[1] != "all":
 86 |             block_offs = [block_offs[int(self.target[1])]]
 87 | 
 88 |         if self.target[0].lower() == "sb":
 89 |             offs, size = self._get_offset_in_sb(self.target[2])
 90 |         else:
 91 |             offs, size = self._get_offset_in_ufs_cg(self.target[2])
 92 |         if offs:
 93 |             inj = self.target[3][:size].encode()
 94 |             for b in block_offs:
 95 |                 data[b + offs : b + offs + len(inj)] = inj
 96 |             self._write_outfile(data)
 97 |         else:
 98 |             print(f"[!] Could not determine offset for: {self.target[2]} in {self.target[0]}!")
 99 |             sys.exit(-1)
100 | 
101 |     def _write_outfile(self, data):
102 |         with open(self.outfile, "wb") as g:
103 |             g.write(data)
104 | 
105 |     def _get_data_pos(self, non_data, border, r=0):
106 |         pos = secrets.randbelow(border + 1)
107 |         if pos in non_data or pos + r in non_data:
108 |             self._get_data_pos(non_data, border, r)
109 |         else:
110 |             return pos
111 | 
112 |     def _get_meta_pos(self, mlen, r):
113 |         pos = secrets.randbelow(mlen + 1)
114 |         if pos < mlen and pos + r < mlen:
115 |             return pos
116 |         else:
117 |             self._get_meta_pos(mlen, r)
118 | 
119 |     def _get_meta_offs(self, cgs, sbs):
120 |         forbidden = []
121 |         for sb in sbs:
122 |             for i in range(self.fs_obj.sb_expected_len + 1):
123 |                 forbidden.append(sb + i)
124 |         if cgs:
125 |             for cg in cgs:
126 |                 for i in range(self.fs_obj.cg_expected_len + 1):
127 |                     forbidden.append(cg + i)
128 |         return forbidden
129 | 
130 |     def _get_size(self):
131 |         if self.mutation_size == "byte_flip":
132 |             return 1
133 |         elif self.mutation_size == "block":
134 |             if self.mutation_section == "sb":
135 |                 return self.fs_obj.sb_expected_len
136 |             elif self.mutation_section == "cg":
137 |                 return self.fs_obj.cg_expected_len
138 |             else:
139 |                 return 64
140 | 
141 |     def _apply_mutation(self, btype=None, fields=None):
142 |         fake_block = b""
143 |         msize = self._get_size()
144 |         if self.mutation_value == "zero":
145 |             fake_block = self._make_zero(msize)
146 |         elif self.mutation_value == "ff":
147 |             fake_block = self._make_ff(msize)
148 |         elif self.mutation_value == "rnd":
149 |             fake_block = self._rnd(msize)
150 | 
151 |         with open(self.fs, "rb") as f:
152 |             data = bytearray(f.read())
153 |             dlen = len(data)
154 | 
155 |         if btype in ["sb", "cg"]:
156 |             pos = 0
157 |             if btype == "sb" and self.mutation_size == "byte_flip":
158 |                 pos = self._get_meta_pos(self.fs_obj.sb_expected_len, msize)
159 |             elif btype == "cg" and self.mutation_size == "byte_flip":
160 |                 pos = self._get_meta_pos(self.fs_obj.cg_expected_len, msize)
161 | 
162 |             if self.mutation_pos == "all":
163 |                 for e in fields:
164 |                     data[e + pos : e + pos + len(fake_block)] = fake_block
165 |                     print(f"[*] Modified offset {hex(e + pos)} with {fake_block} of length {len(fake_block)}.")
166 |             else:
167 |                 mpos = int(self.mutation_pos)
168 |                 data[fields[mpos] + pos : fields[mpos] + pos + len(fake_block)] = fake_block
169 |                 print(f"[*] Modified offset {hex(fields[mpos] + pos)} with {fake_block} of length {len(fake_block)}.")
170 | 
171 |         else:
172 |             forbidden = self._get_meta_offs(self.fs_obj.cg_locs, self.fs_obj.sb_locs)
173 |             pos = self._get_data_pos(forbidden, dlen, msize)
174 |             data[pos : pos + len(fake_block)] = fake_block
175 |             print(f"[*] Modified offset {hex(pos)} with {fake_block} of length {len(fake_block)}.")
176 | 
177 |         self._write_outfile(data)
178 |         if self.restore:
179 |             self._restore_magic_bytes()
180 | 
181 |     def _restore_magic_bytes(self):
182 |         if "ufs" in self.fs_obj.fst:
183 |             moff = get_magic_offsets(self.fs, "ufs")
184 |             restore_magic_bytes(moff, self.outfile, "ufs")
185 |         else:
186 |             restore_magic_bytes([SBLOCK_EXT2 + MAGIC_BYTES_OFF], self.outfile, "ext")
187 | 
188 |     def mutate(self):
189 |         try:
190 |             if self.target:
191 |                 self.targeted_mutation()
192 |             elif self.radamsa:
193 |                 self._rnd_radamsa()
194 | 
195 |             else:
196 |                 if self.mutation_section == "sb":
197 |                     offs = self.fs_obj.find_all_superblocks()
198 |                     self._apply_mutation(btype="sb", fields=offs)
199 |                 elif self.mutation_section == "cg":
200 |                     offs = self.fs_obj.find_all_cylinder_groups()
201 |                     self._apply_mutation(btype="cg", fields=offs)
202 |                 else:
203 |                     self.fs_obj.find_all_superblocks()
204 |                     self.fs_obj.find_all_cylinder_groups()
205 |                     self._apply_mutation(btype="data")
206 |             print(f"[+] Writing result to '{self.outfile}'.")
207 |         except:
208 |             print(f"[!] Failed to mutate")
209 |         finally:
210 |             if self.restore:
211 |                 self._restore_magic_bytes()
212 | 
213 | 
214 | def get_bool(i):
215 |     if i:
216 |         return True
217 |     else:
218 |         return False
219 | 
220 | 
221 | def main():
222 |     parser = argparse.ArgumentParser(description="Simple file system mutator")
223 |     parser.add_argument("--file_system", "-f", required=True, type=pathlib.Path, help="UFS Filesystem")
224 |     parser.add_argument("--file_system_type", "-ft", type=str, default="ufs", dest="fst", help="[ufs, ext]. Default: %(default)s")
225 |     parser.add_argument("--out", "-o", required=True, type=pathlib.Path, help="Filename for new sample")
226 |     parser.add_argument(
227 |         "--prototype",
228 |         "-p",
229 |         nargs=4,
230 |         default=None,
231 |         help="msection: [sb, cg, data]," "msize: [byte_flip, block]," "mvalue: [zero, ff, rnd]," "mpos: [n-th- sb,cg, all]",
232 |     )
233 |     parser.add_argument("--radamsa", "-rd", action="store_true", help="Use radamsa for full binary mutation")
234 | 
235 |     parser.add_argument("--restore", "-r", action="store_true", help="Restore magic bytes in super block(s)")
236 |     parser.add_argument("--determinism", "-d", action="store_true", help="Set and save seed for radamsa mutation")
237 |     parser.add_argument(
238 |         "--targeted_mutation",
239 |         "-t",
240 |         nargs=4,
241 |         default=None,
242 |         # ['sb', 'all', 'fs_fsmnt',  'Hello World @ HITB 2020 AMS Lockdown Con :)!']
243 |         type=str,
244 |         dest="target",
245 |         help="Specify <sb/cg> n-th/all <sb/cg> a <field> and the <injected value>. Default: %(default)s",
246 |     )
247 | 
248 |     args = parser.parse_args()
249 |     if sum([get_bool(args.prototype), get_bool(args.target), args.radamsa]) > 1:
250 |         parser.error("Only specify one of the flags: radamsa, targeted, or mutation")
251 |     if args.determinism and not args.radamsa:
252 |         parser.error("Determinism flag requires radamsa flag to be set")
253 |     if args.fst == "ufs":
254 |         fst = UFS(fs=args.file_system, fst="ufs2")
255 |     else:
256 |         fst = EXT(fs=args.file_system)
257 | 
258 |     Mutator(
259 |         fs=args.file_system,
260 |         fst=fst,
261 |         mutation=args.prototype,
262 |         out=args.out,
263 |         radamsa=args.radamsa,
264 |         restore=args.restore,
265 |         deter=args.determinism,
266 |         target=args.target,
267 |     ).mutate()
268 | 
269 | 
270 | if __name__ == "__main__":
271 |     main()
272 | 


--------------------------------------------------------------------------------
/src/fs_util.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | import sys
  3 | from ctypes import *
  4 | from datetime import datetime
  5 | 
  6 | 
  7 | def get_int(n, signed=False):
  8 |     return int.from_bytes(n, byteorder="little", signed=signed)
  9 | 
 10 | 
 11 | def get_time(n):
 12 |     return datetime.fromtimestamp(n).strftime("%c")
 13 | 
 14 | 
 15 | def get_hstr(hex_str, inv=False):
 16 |     if len(hex_str[2:]) % 16 != 0:
 17 |         hex_str = "0" + hex_str[2:]
 18 |     else:
 19 |         hex_str = hex_str[2:]
 20 |     if inv:
 21 |         return bytes.fromhex(hex_str[::-1]).decode("ASCII")
 22 |     else:
 23 |         return bytes.fromhex(hex_str).decode("ASCII")
 24 | 
 25 | 
 26 | def get_magic_offsets(path_to_file_system, file_system_type=None):
 27 |     with open(path_to_file_system, "rb") as f:
 28 |         data = f.read()
 29 |         magic_positions = []
 30 |         if file_system_type is "ufs":
 31 |             magic_sequence = UFS_MAGIC
 32 |         elif file_system_type is "zfs":
 33 |             magic_sequence = ZFS_MAGIC
 34 |         else:
 35 |             return False
 36 |         matches = re.finditer(magic_sequence, data)
 37 |         for m in matches:
 38 |             magic_positions.append(m.span()[0])
 39 |         return magic_positions
 40 | 
 41 | 
 42 | def restore_magic_bytes(magic_offsets, fs, mime=None):
 43 |     if mime == "ext":
 44 |         magic_sequence = EXT_MAGIC
 45 |     elif mime == "ufs":
 46 |         magic_sequence = UFS_MAGIC
 47 |     elif mime == "zfs":
 48 |         magic_sequence = ZFS_MAGIC
 49 |     else:
 50 |         print("[!] Unknown mime type")
 51 |         sys.exit(1)
 52 |     with open(fs, "rb+") as f:
 53 |         for m in magic_offsets:
 54 |             f.seek(m)
 55 |             f.write(magic_sequence)
 56 | 
 57 | 
 58 | def save_sb(fs, mime=None):
 59 |     if mime == "ufs":
 60 |         off = SBLOCK_UFS2
 61 |     elif mime == "ext":
 62 |         off = E
 63 |     elif mime == "zfs":
 64 |         pass
 65 |     else:
 66 |         print("[!] Unknown mime type")
 67 |         sys.exit(1)
 68 | 
 69 | 
 70 | def restore_sb(self):
 71 |     if self.mime == "ufs":
 72 |         superblock = ufs_superblock_parser.get_raw_superblock(self.path_to_file_system)
 73 |         offset = ufs_superblock_parser.UFS_SUPERBLOCK["magic"]["offset"]
 74 |     elif self.mime == "ext":
 75 |         superblock = 0
 76 |         offset = 0
 77 |         pass
 78 |     elif self.mime == "zfs":
 79 |         superblock = 0
 80 |         offset = 0
 81 |         pass
 82 |     else:
 83 |         logging.error("Could not detect file system type correctly")
 84 |         return 0
 85 |     with open(self.path_to_mutated_file_system, "wb") as f:
 86 |         f.read(offset)
 87 |         f.write(superblock)
 88 |         f.close()
 89 | 
 90 | 
 91 | # xxd EXT_FS | 'ef53'
 92 | # at offset 1080
 93 | EXT_MAGIC = b"\x53\xef"
 94 | 
 95 | # xxd UFS_FS | grep '1954 0119'
 96 | # multiple offsets
 97 | UFS_MAGIC = b"\x19\x01\x54\x19"
 98 | CG_MAGIC = b"\x55\x02\x09"
 99 | 
100 | # xxd ZFS_FS | grep '0cb1 ba00'
101 | # multiple offsets
102 | ZFS_MAGIC = b"\x0c\xb1\xba\x00\x00\x00\x00\x00"
103 | 
104 | SBLOCK_PIGGY = 262144
105 | SBLOCKSIZE = 8192
106 | MAXMNTLEN = 468
107 | MAXVOLLEN = 32
108 | FSMAXSNAP = 20
109 | NOCSPTRS = int(128 / (sizeof(c_void_p)) - 4)
110 | MAXFRAG = 8
111 | SBLOCK_UFS1 = 8192
112 | SBLOCK_UFS2 = 65536
113 | 
114 | ufs_time_t = c_int64
115 | ufs2_daddr_t = c_int64
116 | 
117 | UFS_SB = [
118 |     ("fs_firstfield", c_int32),
119 |     ("fs_unused_1", c_int32),
120 |     ("fs_sblkno", c_int32),
121 |     ("fs_cblkno", c_int32),
122 |     ("fs_iblkno", c_int32),
123 |     ("fs_dblkno", c_int32),
124 |     ("fs_old_cgoffset", c_int32),
125 |     ("fs_old_cgmask", c_int32),
126 |     ("fs_old_time", c_int32),
127 |     ("fs_old_size", c_int32),
128 |     ("fs_old_dsize", c_int32),
129 |     ("fs_ncg", c_uint32),
130 |     ("fs_bsize", c_int32),
131 |     ("fs_fsize", c_int32),
132 |     ("fs_frag", c_int32),
133 |     ("fs_minfree", c_int32),
134 |     ("fs_old_rotdelay", c_int32),
135 |     ("fs_old_rps", c_int32),
136 |     ("fs_bmask", c_int32),
137 |     ("fs_fmask", c_int32),
138 |     ("fs_bshift", c_int32),
139 |     ("fs_fshift", c_int32),
140 |     ("fs_maxcontig", c_int32),
141 |     ("fs_maxbpg", c_int32),
142 |     ("fs_fragshift", c_int32),
143 |     ("fs_fsbtodb", c_int32),
144 |     ("fs_sbsize", c_int32),
145 |     ("fs_spare1", c_int32 * 2),  # arr[2]
146 |     ("fs_nindir", c_int32),
147 |     ("fs_inopb", c_uint32),
148 |     ("fs_old_nspf", c_int32),
149 |     ("fs_optim", c_int32),
150 |     ("fs_old_npsect", c_int32),
151 |     ("fs_old_interleave", c_int32),
152 |     ("fs_old_trackskew", c_int32),
153 |     ("fs_id", c_int32 * 2),  # arr[2]
154 |     ("fs_old_csaddr", c_int32),
155 |     ("fs_cssize", c_int32),
156 |     ("fs_cgsize", c_int32),
157 |     ("fs_spare2", c_int32),
158 |     ("fs_old_nsect", c_int32),
159 |     ("fs_old_spc", c_int32),
160 |     ("fs_old_ncyl", c_int32),
161 |     ("fs_old_cpg", c_int32),
162 |     ("fs_ipg", c_uint32),
163 |     ("fs_fpg", c_int32),
164 |     ("fs_old_cstotal__cs_ndir", c_int32),
165 |     ("fs_old_cstotal__cs_nbfree", c_int32),
166 |     ("fs_old_cstotal__cs_nifree", c_int32),
167 |     ("fs_old_cstotal__cs_nffree", c_int32),
168 |     # ('fs_old_cstotal', c_int32 * 4),  # struct csum
169 |     ("fs_fmod", c_int8),
170 |     ("fs_clean", c_int8),
171 |     ("fs_ronly", c_int8),
172 |     ("fs_old_flags", c_int8),
173 |     ("fs_fsmnt", c_char * MAXMNTLEN),
174 |     ("fs_volname", c_char * MAXVOLLEN),
175 |     ("fs_swuid", c_uint64),
176 |     ("fs_pad", c_int32),
177 |     ("fs_cgrotor", c_int32),
178 |     ("*fs_ocsp", c_void_p * NOCSPTRS),  # void 	*fs_ocsp[NOCSPTRS]
179 |     ("*fs_contigdirs", c_size_t),  # *fs_contigdirs
180 |     ("*fs_csp", c_size_t),  # struct csum *fs_csp
181 |     ("*fs_maxcluster", c_size_t),
182 |     ("*fs_active", c_uint64),
183 |     ("fs_old_cpc", c_int32),
184 |     ("fs_maxbsize", c_int32),
185 |     ("fs_unrefs", c_int64),
186 |     ("fs_providersize", c_int64),
187 |     ("fs_metaspace", c_int64),
188 |     ("fs_sparecon64", c_int64 * 13),  # arr[13]
189 |     ("fs_sblockactualloc", c_int64),
190 |     ("fs_sblockloc", c_int64),
191 |     ("fs_cstotal__cs_ndir", c_int64),
192 |     ("fs_cstotal__cs_nbfree", c_int64),
193 |     ("fs_cstotal__cs_nifree", c_int64),
194 |     ("fs_cstotal__cs_nffree", c_int64),
195 |     ("fs_cstotal__cs_numclusters", c_int64),
196 |     ("fs_cstotal__cs_spare", c_int64 * 3),
197 |     # ('fs_cstotal', c_size_t * 8),  # struct csum_total
198 |     ("fs_time", ufs_time_t),
199 |     ("fs_size", c_int64),
200 |     ("fs_dsize", c_int64),
201 |     ("fs_csaddr", ufs2_daddr_t),
202 |     ("fs_pendingblocks", c_int64),
203 |     ("fs_pendinginodes", c_uint32),
204 |     ("fs_snapinum", c_uint32 * FSMAXSNAP),
205 |     ("fs_avgfilesize", c_uint32),
206 |     ("fs_avgfpdir", c_uint32),
207 |     ("fs_save_cgsize", c_int32),
208 |     ("fs_mtime", ufs_time_t),
209 |     ("fs_sujfree", c_int32),
210 |     ("fs_sparecon32", c_int32 * 21),  # arr[21]
211 |     ("fs_ckhash", c_uint32),
212 |     ("fs_metackhash", c_uint32),
213 |     ("fs_flags", c_int32),
214 |     ("fs_contigsumsize", c_int32),
215 |     ("fs_maxsymlinklen", c_int32),
216 |     ("fs_old_inodefmt", c_int32),
217 |     ("fs_maxfilesize", c_uint64),
218 |     ("fs_qbmask", c_int64),
219 |     ("fs_qfmask", c_int64),
220 |     ("fs_state", c_int32),
221 |     ("fs_old_postblformat", c_int32),
222 |     ("fs_old_nrpos", c_int32),
223 |     ("fs_spare5", c_int32 * 2),  # arr[2]
224 |     ("fs_magic", c_int32),
225 | ]
226 | 
227 | UFS_CG = [
228 |     ("cg_firstfield", c_int32),
229 |     ("cg_magic", c_int32),
230 |     ("cg_old_time", c_int32),
231 |     ("cg_cgx", c_uint32),
232 |     ("cg_old_nyl", c_int16),
233 |     ("cg_old_niblk", c_int16),
234 |     ("cg_ndblk", c_uint32),
235 |     ("cg_cs__cs_ndir", c_int32),
236 |     ("cg_cs__cs_nbfree", c_int32),
237 |     ("cg_cs__cs_nifree", c_int32),
238 |     ("cg_cs__cs_nffree", c_int32),
239 |     ("cg_rotor", c_uint32),
240 |     ("cg_frotor", c_uint32),
241 |     ("cg_irotor", c_uint32),
242 |     ("cg_frsum", c_uint32 * MAXFRAG),  # arr[MAXFRAG]
243 |     ("cg_old_btotoff", c_int32),
244 |     ("cg_old_boff", c_int32),
245 |     ("cg_iusedoff", c_uint32),
246 |     ("cg_freeoff", c_uint32),
247 |     ("cg_nextfreeoff", c_uint32),
248 |     ("cg_clustersumoff", c_uint32),
249 |     ("cg_clusteroff", c_uint32),
250 |     ("cg_nclusterblks", c_uint32),
251 |     ("cg_niblk", c_uint32),
252 |     ("cg_initediblk", c_uint32),
253 |     ("cg_unrefs", c_uint32),
254 |     ("cg_sparecon32", c_int32),
255 |     ("cg_ckhash", c_uint32),
256 |     ("cg_time", ufs_time_t),
257 |     ("cg_sparecon64", c_uint64 * 3),  # arr[3]
258 |     ("cg_space", c_uint8),
259 | ]
260 | 
261 | SBLOCK_EXT2 = 1024  # First 1024 bytes are unused, block group 0 starts with a superblock @ offset 1024d
262 | MAGIC_BYTES_OFF = 56
263 | 
264 | EXT_SB = [
265 |     ("e2fs_icount", c_uint32),
266 |     ("e2fs_bcount", c_uint32),
267 |     ("e2fs_rbcount", c_uint32),
268 |     ("e2fs_fbcount", c_uint32),
269 |     ("e2fs_ficount", c_uint32),
270 |     ("e2fs_first_dblock", c_uint32),
271 |     ("e2fs_log_bsize", c_uint32),
272 |     ("e2fs_log_fsize", c_uint32),
273 |     ("e2fs_bpg", c_uint32),
274 |     ("e2fs_fpg", c_uint32),
275 |     ("e2fs_ipg", c_uint32),
276 |     ("e2fs_mtime", c_uint32),
277 |     ("e2fs_wtime", c_uint32),
278 |     ("e2fs_mnt_count", c_uint16),
279 |     ("e2fs_max_mnt_count", c_uint16),
280 |     ("e2fs_magic", c_uint16),
281 |     ("e2fs_state", c_uint16),
282 |     ("e2fs_beh", c_uint16),
283 |     ("e2fs_minrev", c_uint16),
284 |     ("e2fs_lastfsck", c_uint32),
285 |     ("e2fs_fsckintv", c_uint32),
286 |     ("e2fs_creator", c_uint32),
287 |     ("e2fs_rev", c_uint32),
288 |     ("e2fs_ruid", c_uint16),
289 |     ("e2fs_rgid", c_uint16),
290 |     ("e2fs_first_ino", c_uint32),
291 |     ("e2fs_inode_size", c_uint16),
292 |     ("e2fs_block_group_nr", c_uint16),
293 |     ("e2fs_features_compat", c_uint32),
294 |     ("e2fs_features_incompat", c_uint32),
295 |     ("e2fs_features_rocompat", c_uint32),
296 |     ("e2fs_uuid", c_uint8 * 16),  # arr[16], at offset 104
297 |     ("e2fs_vname", c_char * 16),  # arr[16]
298 |     ("e2fs_fsmnt", c_char * 64),  # arr[64]
299 |     ("e2fs_algo", c_uint32),
300 |     ("e2fs_prealloc", c_uint8),
301 |     ("e2fs_dir_prealloc", c_uint8),
302 |     ("e2fs_reserved_ngdb", c_uint16),
303 |     ("e3fs_journal_uuid", c_char * 16),  # arr[16]
304 |     ("e3fs_journal_inum", c_uint32),
305 |     ("e3fs_journal_dev", c_uint32),
306 |     ("e3fs_last_orphan", c_uint32),
307 |     ("e3fs_hash_seed", c_uint32 * 4),  # arr[4]
308 |     ("e3fs_def_hash_version", c_char),
309 |     ("e3fs_jnl_backup_type", c_char),
310 |     ("e3fs_desc_size", c_uint16),
311 |     ("e3fs_default_mount_opts", c_uint32),
312 |     ("e3fs_first_meta_bg", c_uint32),
313 |     ("e3fs_mkfs_time", c_uint32),
314 |     ("e3fs_jnl_blks", c_uint32),
315 |     ("e4fs_bcount_hi", c_uint32),
316 |     ("e4fs_rbcount_hi", c_uint32),
317 |     ("e4fs_fbcount_hi", c_uint32),
318 |     ("e4fs_min_extra_isize", c_uint16),
319 |     ("e4fs_want_extra_isize", c_uint16),
320 |     ("e4fs_flags", c_uint32),
321 |     ("e4fs_raid_stride", c_uint16),
322 |     ("e4fs_mmpintv", c_uint16),
323 |     ("e4fs_mmpblk", c_uint64),
324 |     ("e4fs_raid_stripe_wid", c_uint32),
325 |     ("e4fs_log_gpf", c_uint8),
326 |     ("e4fs_chksum_type", c_uint8),
327 |     ("e4fs_encrypt", c_uint8),
328 |     ("e4fs_reserved_pad", c_uint8),
329 |     ("e4fs_kbytes_written", c_uint64),
330 |     ("e4fs_snapinum", c_uint32),
331 |     ("e4fs_snapid", c_uint32),
332 |     ("e4fs_snaprbcount", c_uint64),
333 |     ("e4fs_snaplist", c_uint32),
334 |     ("e4fs_errcount", c_uint32),
335 |     ("e4fs_first_errtime", c_uint32),
336 |     ("e4fs_first_errino", c_uint32),
337 |     ("e4fs_first_errblk", c_uint64),
338 |     ("e4fs_first_errfunc", c_uint8 * 32),  # arr[32]
339 |     ("e4fs_first_errline", c_uint32),
340 |     ("e4fs_last_errtime", c_uint32),
341 |     ("e4fs_last_errino", c_uint32),
342 |     ("e4fs_last_errline", c_uint32),
343 |     ("e4fs_last_errblk", c_uint64),
344 |     ("e4fs_last_errfunc", c_uint8 * 32),  # arr[32]
345 |     ("e4fs_mount_opts", c_uint8 * 64),  # arr[64]
346 |     ("e4fs_usrquota_inum", c_uint32),
347 |     ("e4fs_grpquota_inum", c_uint32),
348 |     ("e4fs_overhead_clusters", c_uint32),
349 |     ("e4fs_backup_bgs", c_uint32 * 2),  # arr[2]
350 |     ("e4fs_encrypt_algos", c_uint8 * 4),  # arr[4]
351 |     ("e4fs_encrypt_pw_salt", c_uint8 * 16),  # arr[16]
352 |     ("e4fs_lpf_ino", c_uint32),
353 |     ("e4fs_proj_quota_inum", c_uint32),
354 |     ("e4fs_chksum_seed", c_uint32),
355 |     ("e4fs_reserved", c_uint32 * 98),  # arr[98]
356 |     ("e4fs_sbchksum", c_uint32),
357 | ]
358 | 


--------------------------------------------------------------------------------
/src/ufs_superblock_parser.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import argparse
  4 | import os
  5 | import pathlib
  6 | import pprint as pp
  7 | import re
  8 | from collections import OrderedDict
  9 | from ctypes import *
 10 | 
 11 | from fs_util import UFS_MAGIC, CG_MAGIC, get_int, UFS_CG, UFS_SB, SBLOCK_UFS1, SBLOCK_UFS2
 12 | 
 13 | 
 14 | class UFS(Structure):
 15 |     def __init__(self, fs, fst):
 16 |         super(Structure).__init__()
 17 |         self.sb = OrderedDict()
 18 |         self.cg = OrderedDict()
 19 |         self.sb_expected_len = 1376
 20 |         self.cg_expected_len = 169
 21 |         self.fs = fs
 22 |         self.fst = fst
 23 |         if fst == "ufs2":
 24 |             self.sbo = SBLOCK_UFS2
 25 |         else:
 26 |             self.sbo = SBLOCK_UFS1
 27 |         self.sb_locs = []
 28 |         self._fields_sb = UFS_SB
 29 |         self.cg_locs = []
 30 |         self._fields_cg = UFS_CG
 31 |         self._sanity_check()
 32 | 
 33 |     def _sanity_check(self):
 34 |         res_sb = 0
 35 |         res_cg = 0
 36 |         for _, v in self._fields_sb:
 37 |             res_sb += sizeof(v)
 38 |         for _, v in self._fields_cg:
 39 |             res_cg += sizeof(v)
 40 |         assert res_sb == self.sb_expected_len
 41 |         assert res_cg == self.cg_expected_len
 42 | 
 43 |     def get_superblock(self, n=0):
 44 |         self.find_all_superblocks()
 45 |         self._read_superblock_in_dict(self.sb_locs[n])
 46 |         return self.sb
 47 | 
 48 |     def get_cylinder_group(self, n=0):
 49 |         self.find_all_cylinder_groups()
 50 |         self._read_cylinder_group_in_dict(self.cg_locs[n])
 51 |         return self.cg
 52 | 
 53 |     def _read_superblock_in_dict(self, loc=SBLOCK_UFS2):
 54 | 
 55 |         with open(self.fs, "rb") as f:
 56 |             f.seek(loc)
 57 |             for field in self._fields_sb:
 58 |                 self.sb[field[0]] = f.read(sizeof(field[1]))
 59 | 
 60 |     def _read_cylinder_group_in_dict(self, loc=None):
 61 |         with open(self.fs, "rb") as f:
 62 |             f.seek(loc)
 63 |             for field in self._fields_cg:
 64 |                 self.cg[field[0]] = f.read(sizeof(field[1]))
 65 | 
 66 |     def find_all_superblocks(self):
 67 |         with open(self.fs, "rb") as f:
 68 |             data = f.read()
 69 |             matches = re.finditer(UFS_MAGIC, data)
 70 |             for m in matches:
 71 |                 sb = m.span()[0] - (self.sb_expected_len - 4)
 72 |                 self.sb_locs.append(sb)
 73 |         self.sb_locs = self.sb_locs[1:]
 74 |         if (not self.sb_locs or SBLOCK_UFS2 not in self.sb_locs) and self.fst == "ufs2":
 75 |             self.sb_locs = [SBLOCK_UFS2] + self.sb_locs
 76 |         elif (not self.sb_locs or SBLOCK_UFS1 not in self.sb_locs) and self.fst == "ufs1":
 77 |             self.sb_locs = [SBLOCK_UFS1] + self.sb_locs
 78 |         return self.sb_locs
 79 | 
 80 |     def find_all_cylinder_groups(self):
 81 |         with open(self.fs, "rb") as f:
 82 |             data = f.read()
 83 |             matches = re.finditer(CG_MAGIC, data)
 84 |             for m in matches:
 85 |                 cg = m.span()[0] - 4
 86 |                 self.cg_locs.append(cg)
 87 |         return self.cg_locs
 88 | 
 89 |     def print_superblock(self):
 90 |         tmp = OrderedDict()
 91 |         for key, value in self.sb.items():
 92 |             if key in [
 93 |                 "fs_maxfilesize",
 94 |                 "fs_metackhash",
 95 |                 "fs_ckhash",
 96 |                 "fs_avgfpdir",
 97 |                 "fs_avgfilesize",
 98 |                 "fs_snapinum",
 99 |                 "fs_pendinginodes",
100 |                 "*fs_active",
101 |                 "fs_swuid",
102 |                 "fs_ipg",
103 |                 "fs_inopb",
104 |                 "fs_ncg",
105 |             ]:
106 |                 tmp[key] = hex(get_int(value, signed=False))
107 |             else:
108 |                 tmp[key] = hex(get_int(value))
109 |         pp.pprint(tmp)
110 | 
111 |     def print_cylinder_group(self):
112 |         tmp = OrderedDict()
113 |         for key, value in self.cg.items():
114 |             if key in [
115 |                 "cg_firstfield",
116 |                 "cg_magic",
117 |                 "cg_old_time",
118 |                 "cg_old_ncyl",
119 |                 "cg_old_niblk",
120 |                 "cg_old_btotoff",
121 |                 "cg_old_boff",
122 |                 "cg_sparecon32",
123 |                 "cg_time",
124 |                 "cg_sparecon64",
125 |                 "cg_cs__cs_ndir",
126 |                 "cg_cs__cs_nbfree",
127 |                 "cg_cs__cs_nifree",
128 |                 "cg_cs__cs_nffree",
129 |             ]:
130 |                 tmp[key] = hex(get_int(value, signed=True))
131 |             else:
132 |                 tmp[key] = hex(get_int(value))
133 |         pp.pprint(tmp)
134 | 
135 |     def dump_superblock(self, n=0):
136 |         if not self.sb_locs:
137 |             self.find_all_superblocks()
138 |         self._read_superblock_in_dict(loc=self.sb_locs[n])
139 |         p = str(pathlib.Path(self.fs).parent)
140 |         c = str(pathlib.Path(self.fs).name)
141 |         fp = os.path.join(p, f"superblock_{hex(n)}_" + c + ".dump")
142 |         with open(fp, "wb") as f:
143 |             for _, value in self.sb.items():
144 |                 f.write(value)
145 |         print(f"[+] Dumped {fp}")
146 | 
147 |     def dump_all_superblocks(self):
148 |         self.find_all_superblocks()
149 |         for i, _ in enumerate(self.sb_locs):
150 |             self.dump_superblock(n=i)
151 | 
152 | 
153 | # The UFS2 superblock is located at the beginning of the disk slice, and is replicated in each cylinder group.
154 | 
155 | 
156 | def main():
157 |     parser = argparse.ArgumentParser(description="UFS file system parser")
158 |     parser.add_argument(
159 |         "--dump", "-d", action="store_true", default=False, dest="dump", help="Dumps the first superblock to disk"
160 |     )
161 |     parser.add_argument(
162 |         "--dump_all", "-da", action="store_true", default=False, dest="dump_all", help="Dumps all superblocks to disk"
163 |     )
164 |     parser.add_argument(
165 |         "--print_superblock",
166 |         "-ps",
167 |         type=int,
168 |         default=-1,
169 |         dest="print_sb",
170 |         help="Print the n-th superblock to stdout. Default: %(default)s",
171 |     )
172 |     parser.add_argument(
173 |         "--print_cylinder_groups",
174 |         "-pcg",
175 |         type=int,
176 |         help="Print the n-th cylinder group to stdout. Default: %(default)s",
177 |         default=-1,
178 |         dest="print_cg",
179 |     )
180 |     parser.add_argument(
181 |         "--find_all",
182 |         "-fa",
183 |         action="store_true",
184 |         default=False,
185 |         dest="find_all",
186 |         help="Finds all superblock locations and prints them to stdout. Default: %(default)s",
187 |     )
188 |     parser.add_argument("--file_system", "-f", required=True, type=pathlib.Path, help="UFS Filesystem")
189 |     parser.add_argument(
190 |         "--file_system_type", "-ft", type=str, default="ufs2", dest="fst", help="[ufs1, ufs2]. Default: %(default)s"
191 |     )
192 | 
193 |     args = parser.parse_args()
194 | 
195 |     ufs = UFS(args.file_system, args.fst)
196 |     if args.dump:
197 |         ufs.dump_superblock()
198 |     if args.dump_all:
199 |         ufs.dump_all_superblocks()
200 |     if args.find_all:
201 |         ufs.find_all_superblocks()
202 |         ufs.find_all_cylinder_groups()
203 |         res = ", ".join(hex(e) for e in ufs.sb_locs)
204 |         print(f"[+] Found superblock offsets: {res}")
205 |         res = ", ".join(hex(e) for e in ufs.cg_locs)
206 |         print(f"[+] Found cylinder group offsets: {res}")
207 |     if args.print_sb >= 0:
208 |         ufs.find_all_superblocks()
209 |         if not ufs.sb_locs and args.fst == "ufs2":
210 |             ufs.sb_locs.append(SBLOCK_UFS2)
211 |         elif not ufs.sb_locs and args.fst == "ufs1":
212 |             ufs.sb_locs.append(SBLOCK_UFS1)
213 |         ufs._read_superblock_in_dict(ufs.sb_locs[args.print_sb])
214 |         ufs.print_superblock()
215 |     if args.print_cg >= 0:
216 |         ufs.find_all_cylinder_groups()
217 |         ufs._read_cylinder_group_in_dict(ufs.cg_locs[args.print_cg])
218 |         ufs.print_cylinder_group()
219 | 
220 | 
221 | if __name__ == "__main__":
222 |     main()
223 | 


--------------------------------------------------------------------------------
/testcases/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/__init__.py


--------------------------------------------------------------------------------
/testcases/core_features/default.txt:
--------------------------------------------------------------------------------
   1 | dumped core - see /var/crash/vmcore.1
   2 | 
   3 | Mon Apr  6 12:44:44 CEST 2020
   4 | 
   5 | FreeBSD  12.1-RELEASE FreeBSD 12.1-RELEASE GENERIC  amd64
   6 | 
   7 | panic: hashdestroy: hashtbl 0xfffffe001b271000 not empty (malloc type inodedep)
   8 | 
   9 | GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD]
  10 | Copyright (C) 2019 Free Software Foundation, Inc.
  11 | License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  12 | This is free software: you are free to change and redistribute it.
  13 | There is NO WARRANTY, to the extent permitted by law.
  14 | Type "show copying" and "show warranty" for details.
  15 | This GDB was configured as "x86_64-portbld-freebsd12.1".
  16 | Type "show configuration" for configuration details.
  17 | For bug reporting instructions, please see:
  18 | <http://www.gnu.org/software/gdb/bugs/>.
  19 | Find the GDB manual and other documentation resources online at:
  20 |     <http://www.gnu.org/software/gdb/documentation/>.
  21 | 
  22 | For help, type "help".
  23 | Type "apropos word" to search for commands related to "word"...
  24 | Reading symbols from /boot/kernel/kernel...
  25 | Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...
  26 | 
  27 | Unread portion of the kernel message buffer:
  28 | WARNING: /mnt/tc: GJOURNAL flag on fs but no gjournal provider below
  29 | WARNING: /mnt/tc: NFSv4 ACLs flag on fs conflicts with "acls" mount option; option ignored
  30 | Failed to find journal.  Use tunefs to create one
  31 | Failed to start journal: 22
  32 | panic: hashdestroy: hashtbl 0xfffffe001b271000 not empty (malloc type inodedep)
  33 | cpuid = 1
  34 | time = 1586169731
  35 | KDB: stack backtrace:
  36 | #0 0xffffffff806d65a7 at kdb_backtrace+0x67
  37 | #1 0xffffffff8068d84d at vpanic+0x19d
  38 | #2 0xffffffff8068d633 at panic+0x43
  39 | #3 0xffffffff806d54c7 at hashdestroy+0x47
  40 | #4 0xffffffff8092ef90 at softdep_unmount+0x260
  41 | #5 0xffffffff8092ecff at softdep_mount+0xa8f
  42 | #6 0xffffffff8094a1a1 at ffs_mount+0x1a61
  43 | #7 0xffffffff8074e2a3 at vfs_domount+0x733
  44 | #8 0xffffffff8074d577 at vfs_donmount+0x7e7
  45 | #9 0xffffffff8074cd61 at sys_nmount+0x71
  46 | #10 0xffffffff809ca547 at amd64_syscall+0x277
  47 | #11 0xffffffff809a27b0 at fast_syscall_common+0x101
  48 | Uptime: 49m4s
  49 | Dumping 129 out of 2027 MB:..13%..25%..38%..50%..62%..75%..87%..99%
  50 | 
  51 | __curthread () at /usr/src/sys/amd64/include/pcpu.h:234
  52 | 234		__asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD));
  53 | (kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu.h:234
  54 | #1  doadump (textdump=<optimized out>)
  55 |     at /usr/src/sys/kern/kern_shutdown.c:371
  56 | #2  0xffffffff8068d48b in kern_reboot (howto=260)
  57 |     at /usr/src/sys/kern/kern_shutdown.c:451
  58 | #3  0xffffffff8068d8a9 in vpanic (fmt=<optimized out>, ap=<optimized out>)
  59 |     at /usr/src/sys/kern/kern_shutdown.c:877
  60 | #4  0xffffffff8068d633 in panic (fmt=<unavailable>)
  61 |     at /usr/src/sys/kern/kern_shutdown.c:804
  62 | #5  0xffffffff806d54c7 in hashdestroy (vhashtbl=<optimized out>, 
  63 |     type=<optimized out>, hashmask=<optimized out>)
  64 |     at /usr/src/sys/kern/subr_hash.c:99
  65 | #6  0xffffffff8092ef90 in softdep_unmount (mp=<optimized out>)
  66 |     at /usr/src/sys/ufs/ffs/ffs_softdep.c:2607
  67 | #7  0xffffffff8092ecff in softdep_mount (devvp=0xfffff8002556bd20, 
  68 |     mp=0xfffff8000237a000, fs=0xfffffe001b247000, cred=0xfffff80002841100)
  69 |     at /usr/src/sys/ufs/ffs/ffs_softdep.c:2513
  70 | #8  0xffffffff8094a1a1 in ffs_mountfs (devvp=<optimized out>, 
  71 |     mp=0xfffff8000237a000, td=<optimized out>)
  72 |     at /usr/src/sys/ufs/ffs/ffs_vfsops.c:1038
  73 | #9  ffs_mount (mp=<optimized out>) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:549
  74 | #10 0xffffffff8074e2a3 in vfs_domount_first (td=0xfffff8000225d000, 
  75 |     vfsp=<optimized out>, fspath=<optimized out>, vp=<optimized out>, 
  76 |     fsflags=<optimized out>, optlist=<optimized out>)
  77 |     at /usr/src/sys/kern/vfs_mount.c:893
  78 | #11 vfs_domount (td=0xfffff8000225d000, fstype=<optimized out>, 
  79 |     fspath=<optimized out>, fsflags=<optimized out>, 
  80 |     optlist=0xfffffe00004eb8e8) at /usr/src/sys/kern/vfs_mount.c:1186
  81 | #12 0xffffffff8074d577 in vfs_donmount (td=0xfffff8000225d000, fsflags=0, 
  82 |     fsoptions=0xfffff800251d0700) at /usr/src/sys/kern/vfs_mount.c:726
  83 | #13 0xffffffff8074cd61 in sys_nmount (td=0xfffff8000225d000, 
  84 |     uap=0xfffff8000225d3c0) at /usr/src/sys/kern/vfs_mount.c:431
  85 | #14 0xffffffff809ca547 in syscallenter (td=0xfffff8000225d000)
  86 |     at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
  87 | #15 amd64_syscall (td=0xfffff8000225d000, traced=0)
  88 |     at /usr/src/sys/amd64/amd64/trap.c:1186
  89 | #16 <signal handler called>
  90 | #17 0x00000008002f48ba in ?? ()
  91 | Backtrace stopped: Cannot access memory at address 0x7fffffffd368
  92 | (kgdb) 
  93 | 
  94 | ------------------------------------------------------------------------
  95 | ps -axlww
  96 | 
  97 | UID PID PPID CPU PRI NI   VSZ  RSS MWCHAN   STAT TT     TIME COMMAND
  98 |   0   0    0   0 -16  0     0    0 swapin   DLs   -  0:00.01 [kernel]
  99 |   0   1    0   0  20  0  9960  896 wait     DLs   -  0:00.01 [init]
 100 |   0   2    0   0 -16  0     0    0 crypto_w DL    -  0:00.00 [crypto]
 101 |   0   3    0   0 -16  0     0    0 crypto_r DL    -  0:00.00 [crypto returns 0]
 102 |   0   4    0   0 -16  0     0    0 crypto_r DL    -  0:00.00 [crypto returns 1]
 103 |   0   5    0   0 -16  0     0    0 -        RL    -  0:00.05 [cam]
 104 |   0   6    0   0 -16  0     0    0 -        DL    -  0:00.00 [soaiod1]
 105 |   0   7    0   0 -16  0     0    0 -        DL    -  0:00.00 [soaiod2]
 106 |   0   8    0   0 -16  0     0    0 -        DL    -  0:00.00 [soaiod3]
 107 |   0   9    0   0 -16  0     0    0 -        DL    -  0:00.00 [soaiod4]
 108 |   0  10    0   0 -16  0     0    0 audit_wo DL    -  0:00.00 [audit]
 109 |   0  11    0   0 155  0     0    0 -        RL    -  0:09.95 [idle]
 110 |   0  12    0   0 -52  0     0    0 -        WL    -  0:00.21 [intr]
 111 |   0  13    0   0  -8  0     0    0 -        DL    -  0:00.03 [geom]
 112 |   0  14    0   0 -68  0     0    0 -        DL    -  0:00.00 [usb]
 113 |   0  15    0   0 -16  0     0    0 waiting_ DL    -  0:00.00 [sctp_iterator]
 114 |   0  16    0   0 -16  0     0    0 -        DL    -  0:00.00 [rand_harvestq]
 115 |   0  17    0   0 -16  0     0    0 psleep   DL    -  0:00.00 [pagedaemon]
 116 |   0  18    0   0 -16  0     0    0 psleep   DL    -  0:00.00 [vmdaemon]
 117 |   0  19    0   0 -16  0     0    0 qsleep   DL    -  0:00.00 [bufdaemon]
 118 |   0  20    0   0  16  0     0    0 syncer   DL    -  0:00.00 [syncer]
 119 |   0  21    0   0 -16  0     0    0 vlruwt   DL    -  0:00.00 [vnlru]
 120 |   0 397    1   0  20  0 11388 2608 select   Ds    -  0:00.00 [dhclient]
 121 |   0 400    1   0  52  0 11608 2748 select   Ds    -  0:00.00 [dhclient]
 122 |  65 447    1   0  20  0 11776 2868 select   DCs   -  0:00.00 [dhclient]
 123 |   0 448    1   0  20  0 10456 1452 select   Ds    -  0:00.00 [devd]
 124 |   0 591    1   0  20  0 11400 2668 select   Ds    -  0:00.01 [syslogd]
 125 |   0 716    1   0  20  0 19668 7856 select   Ds    -  0:00.00 [sshd]
 126 |   0 719    1   0  20  0 16980 6844 select   Ds    -  0:00.00 [sendmail]
 127 |  25 722    1   0  20  0 16800 6664 pause    Ds    -  0:00.00 [sendmail]
 128 |   0 726    1   0  20  0 11420 2644 nanslp   Ds    -  0:00.00 [cron]
 129 |   0 776    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 130 |   0 777    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 131 |   0 778    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 132 |   0 779    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 133 |   0 780    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 134 |   0 781    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 135 |   0 782    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 136 |   0 783    1   0  52  0 10880 2276 ttyin    Ds+   -  0:00.00 [getty]
 137 |   0 859  716   0  20  0 20292 9008 select   Ds    -  0:00.00 [sshd]
 138 |   0 862  859   0  20  0 13188 3800 pause    Ds    -  0:00.01 [csh]
 139 |   0 870  862   0  52  0 11500 2840 wait     D+    -  0:00.00 [sh]
 140 |   0 875    0   0  -8  0     0    0 mdwait   DL    -  0:00.00 [md0]
 141 |   0 876  870   0  52  0 10820 2264 -        R+    -  0:00.00 [mount]
 142 | 
 143 | ------------------------------------------------------------------------
 144 | vmstat -s
 145 | 
 146 |    273317 cpu context switches
 147 |      6653 device interrupts
 148 |     25727 software interrupts
 149 |     83061 traps
 150 |    315528 system calls
 151 |        22 kernel threads created
 152 |       617  fork() calls
 153 |       235 vfork() calls
 154 |         2 rfork() calls
 155 |         0 swap pager pageins
 156 |         0 swap pager pages paged in
 157 |         0 swap pager pageouts
 158 |         0 swap pager pages paged out
 159 |      1130 vnode pager pageins
 160 |      8370 vnode pager pages paged in
 161 |         0 vnode pager pageouts
 162 |         0 vnode pager pages paged out
 163 |         0 page daemon wakeups
 164 |         0 pages examined by the page daemon
 165 |         0 clean page reclamation shortfalls
 166 |         0 pages reactivated by the page daemon
 167 |     28858 copy-on-write faults
 168 |        27 copy-on-write optimized faults
 169 |     43158 zero fill pages zeroed
 170 |         0 zero fill pages prezeroed
 171 |         0 intransit blocking page faults
 172 |     84401 total VM faults taken
 173 |      1020 page faults requiring I/O
 174 |         0 pages affected by kernel thread creation
 175 |     40157 pages affected by  fork()
 176 |      8441 pages affected by vfork()
 177 |       114 pages affected by rfork()
 178 |     98384 pages freed
 179 |         0 pages freed by daemon
 180 |         0 pages freed by exiting processes
 181 |         0 pages active
 182 |         0 pages inactive
 183 |         0 pages in the laundry queue
 184 |         0 pages wired down
 185 |         0 pages free
 186 |         0 bytes per page
 187 |         0 total name lookups
 188 |           cache hits (0% pos + 0% neg) system 0% per-directory
 189 |           deletions 0%, falsehits 0%, toolong 0%
 190 | 
 191 | ------------------------------------------------------------------------
 192 | vmstat -m
 193 | 
 194 |          Type InUse MemUse HighUse Requests  Size(s)
 195 |       scsi_cd     0     0K       -        5  512
 196 | CAM dev queue     3     2K       -        3  512
 197 |         vtbuf    24  2064K       -       46  8192
 198 |            vt    11    11K       -       11  1024
 199 |      acpiintr     1     1K       -        1  512
 200 |        acpica   823   428K       -    47404  512,1024,2048,4096,16384
 201 |        DEVFS3   100    50K       -      116  512
 202 |        DEVFS1    77    77K       -       83  1024
 203 |    DEVFS_RULE    56    54K       -       56  512,1024
 204 |         DEVFS    12     6K       -       13  512
 205 |        DEVFSP     2     1K       -        2  512
 206 | NFSD V4client     1     1K       -        1  512
 207 |  NFSD lckfile     1     1K       -        1  512
 208 |  NFSD session     1     2K       -        1  2048
 209 |     pfs_nodes    20    20K       -       20  1024
 210 |          GEOM    64    52K       -      565  512,1024,2048,4096,8192,16384
 211 |     raid_data     0     0K       -       84  512
 212 |        isadev     9     5K       -        9  512
 213 |      acpitask     1    64K       -        1  65536
 214 |       acpisem    23    12K       -       23  512
 215 |       acpidev    22    11K       -       22  512
 216 |       CAM SIM     3     2K       -        3  512
 217 |          cdev     2     1K       -        2  512
 218 |      filedesc     1     8K       -        1  8192
 219 |         sigio     0     0K       -        1  512
 220 |      filecaps     1     1K       -       68  512
 221 |       kdtrace   145   123K       -     1811  512,1024
 222 |          kenv    88    60K       -       92  512,16384
 223 |        kqueue    44    22K       -      877  512
 224 |     proc-args    38    19K       -     1156  512
 225 |         hhook    13     7K       -       13  512
 226 |       ithread    61    31K       -       61  512
 227 |        prison     4     2K       -        4  512
 228 |        KTRACE   100    50K       -      100  512
 229 |       CAM XPT    23    12K       -       46  512,1024,2048,4096
 230 |        linker   150   134K       -      164  512,1024,2048,4096,8192,16384
 231 |       CAM DEV     5    20K       -       11  4096
 232 |         lockf    24    12K       -       67  512
 233 |    loginclass     3     2K       -        3  512
 234 |        devbuf  1802  1672K       -     2028  512,1024,2048,4096,8192,16384,32768,65536
 235 |          temp    14    11K       -     1987  512,1024,2048,4096,8192
 236 |       CAM CCB     0     0K       -     4939  4096
 237 |        module   271   136K       -      272  512
 238 |      mtx_pool     2    80K       -        2  16384,65536
 239 |           osd     3     2K       -        9  512
 240 |      pmchooks     1     1K       -        1  512
 241 |           pmc     1     1K       -        1  512
 242 |          pgrp    21    11K       -       47  512
 243 |       session    20    10K       -       37  512
 244 |          proc     2    32K       -        2  16384
 245 |       subproc    99   407K       -      932  1024,8192
 246 |          cred    27    14K       -      238  512
 247 |      CAM path     7     4K       -       46  512
 248 |    CAM periph     6     3K       -     1008  512,1024
 249 |        plimit    17    17K       -      515  1024
 250 |       uidinfo     6    11K       -       16  512,8192
 251 |        dumper     1     2K       -        1  2048
 252 |        sysctl     0     0K       -        1  512
 253 |     sysctloid  2580  1290K       -     2629  512
 254 |     sysctltmp     0     0K       -     4691  512,1024,4096
 255 |       tidhash     1    32K       -        1  32768
 256 |       callout     3  1692K       -        3  
 257 |          umtx   236   118K       -      236  512
 258 |      p1003.1b     1     1K       -        1  512
 259 |          SWAP     1    64K       -        1  65536
 260 |           bus   592   296K       -     5342  512,4096,8192
 261 |        bus-sc    35   283K       -      973  512,1024,2048,4096,8192,16384,65536
 262 | CAM I/O Scheduler     1     1K       -        1  512
 263 |       devstat     6    50K       -        6  512,16384
 264 |         epoch     4     2K       -        4  512
 265 |  eventhandler   119    60K       -      119  512
 266 |    gtaskqueue    22    73K       -       22  512,16384
 267 |          kobj   164  1312K       -      278  8192
 268 |       Per-cpu     1     1K       -        1  512
 269 |          rman   103    52K       -      392  512
 270 |          sbuf     0     0K       -      496  512,1024,16384,32768
 271 |     toponodes    10     5K       -       10  512
 272 |     taskqueue    33    17K       -       33  512
 273 |      terminal    11     6K       -       11  512
 274 |        Unitno    20    10K       -       40  512
 275 |          vmem     3    32K       -        3  8192,16384
 276 |      ioctlops     0     0K       -       77  512,1024,2048,4096
 277 |        select    12     6K       -       12  512
 278 |           iov     1     1K       -    14582  512,1024
 279 |           msg     4    68K       -        4  4096,16384,32768
 280 |           sem     4   120K       -        4  4096,8192
 281 |           shm     1    32K       -        1  32768
 282 |           tty    13    26K       -       13  2048
 283 |           pts     1     1K       -        1  512
 284 |      mbuf_tag     0     0K       -       17  512
 285 |         shmfd     1    16K       -        1  16384
 286 |        soname     4     2K       -    11598  512
 287 |           pcb    22   613K       -       36  512,4096,8192,16384
 288 |       ata_pci     1     1K       -        1  512
 289 |           acl     0     0K       -        1  16384
 290 |      vfscache     4  1081K       -        4  1024,16384,32768
 291 |      vfs_hash     1   520K       -        1  
 292 |        vnodes     1     1K       -        1  1024
 293 |         mount    29    16K       -      133  512,1024
 294 |        statfs     0     0K       -      274  8192
 295 |         evdev     1     2K       -        1  2048
 296 |   vnodemarker     0     0K       -      198  1024
 297 | chacha20random     1     1K       -        1  1024
 298 |           BPF    10    68K       -       10  512,1024,16384
 299 |         ifnet     3     9K       -        3  512,4096
 300 |        ifaddr    36    45K       -       36  512,1024,8192,16384
 301 |   ether_multi    13     7K       -       18  512
 302 |         clone     6     3K       -        6  512
 303 |         ipsec     3     3K       -        3  1024
 304 |       lltable    10     8K       -       11  512,1024
 305 |         iflib    16   160K       -       20  512,2048,8192,16384,32768
 306 |      routetbl    25    14K       -       29  512,1024
 307 |          vnet     1     1K       -        1  512
 308 |     vnet_data     1   248K       -        1  
 309 | vnet_data_free     1     1K       -        1  512
 310 |          igmp     2     1K       -        2  512
 311 |      in_multi     2     1K       -        3  512
 312 | encap_export_host    12     6K       -       12  512
 313 |     sctp_a_it     0     0K       -        2  512
 314 |      sctp_vrf     1     1K       -        1  512
 315 |      sctp_ifa     4     2K       -        4  512
 316 |      sctp_ifn     2     1K       -        2  512
 317 |     sctp_iter     0     0K       -        2  512
 318 |    tfo_ccache     1   136K       -        1  
 319 |     hostcache     1    64K       -        1  65536
 320 |       tcpfunc     1     1K       -        1  512
 321 |      syncache     1    76K       -        1  
 322 |     in6_multi     9     5K       -        9  512
 323 |           mld     2     1K       -        2  512
 324 |        ip6ndp     3     2K       -        3  512
 325 |   inpcbpolicy     7     4K       -       58  512
 326 |      secasvar     1     4K       -        1  4096
 327 |        sahead     1     4K       -        1  4096
 328 |   ipsecpolicy     2     5K       -        2  512,4096
 329 |     ipsec-saq     2     8K       -        2  4096
 330 |        crypto     2     3K       -        2  512,2048
 331 |           rpc     2    16K       -        2  8192
 332 | audit_evclass   230   115K       -      285  512
 333 |      ufs_trim     1    16K       -        1  16384
 334 |       pagedep     3   137K       -       32  512
 335 |      inodedep    11  1049K       -      119  1024
 336 |     bmsafemap     4    33K       -       58  512,16384
 337 |        newblk     3  2065K       -       44  512
 338 |      freefrag     0     0K       -        1  512
 339 |      freeblks     5     3K       -       31  512
 340 |      freefile     2     1K       -       37  512
 341 |        diradd     1     1K       -       68  512
 342 |         mkdir     0     0K       -       18  512
 343 |        dirrem     3     2K       -       60  512
 344 |     newdirblk     0     0K       -        9  512
 345 |      freework     7     4K       -       33  512
 346 |       jaddref     0     0K       -       86  512
 347 |       jremref     0     0K       -       70  512
 348 |       jnewblk     0     0K       -       42  512
 349 |     jfreefrag     0     0K       -        1  512
 350 |          jseg     3     2K       -       24  512
 351 |       jsegdep     7     4K       -      199  512
 352 |         sbdep     0     0K       -       16  512
 353 |      savedino     0     0K       -       30  1024
 354 |       jblocks     2     1K       -        2  512
 355 |       softdep     2     2K       -        2  1024
 356 |   ufs_dirhash    51    34K       -       51  512,1024
 357 |     ufs_quota     1   520K       -        1  
 358 |     ufs_mount     6    66K       -       10  1024,4096,16384
 359 |     vm_pgdata     1     1K       -        1  512
 360 |       UMAHash     1    16K       -        2  16384
 361 |       md_disk     1     8K       -        1  8192
 362 |       memdesc     1     8K       -        1  8192
 363 |      pci_link    10     5K       -       10  512
 364 |        apmdev     1     1K       -        1  512
 365 |    madt_table     0     0K       -        2  512,8192
 366 |       entropy     1     1K       -       25  512,16384
 367 |          intr     4   408K       -        4  65536
 368 |       io_apic     1     4K       -        1  4096
 369 |    local_apic     1     4K       -        1  4096
 370 |           MCA    10     5K       -       10  512
 371 |          cpus     2     1K       -        2  512
 372 |      nexusdev     5     3K       -        5  512
 373 |     CAM queue     8    12K       -       28  512,2048
 374 |           USB    24    44K       -       24  512,1024,8192
 375 |        USBdev    20    10K       -       20  512
 376 | 
 377 | ------------------------------------------------------------------------
 378 | vmstat -z
 379 | 
 380 | ITEM                   SIZE  LIMIT     USED     FREE      REQ FAIL SLEEP
 381 | 
 382 | UMA Kegs:               224,      0,     124,      12,     124,   0,   0
 383 | UMA Zones:              680,      0,     127,       3,     133,   0,   0
 384 | UMA Slabs:              112,      0,    2085,      15,    2174,   0,   0
 385 | UMA Hash:               256,      0,      10,       5,      11,   0,   0
 386 | 4 Bucket:                32,      0,      82,     786,    3239,   0,   0
 387 | 6 Bucket:                48,      0,       6,     575,      88,   0,   0
 388 | 8 Bucket:                64,      0,     212,     346,    1075,  21,   0
 389 | 12 Bucket:               96,      0,      13,     274,     307,   0,   0
 390 | 16 Bucket:              128,      0,      30,     249,     227,   1,   0
 391 | 32 Bucket:              256,      0,      29,     166,     654,   2,   0
 392 | 64 Bucket:              512,      0,      41,      36,     153,   2,   0
 393 | 128 Bucket:            1024,      0,      27,      25,     119,   3,   0
 394 | 256 Bucket:            2048,      0,      65,      13,     243, 758,   0
 395 | vmem:                  1856,      0,       3,       1,       3,   0,   0
 396 | vmem btag:               56,      0,     876,      47,     876,   7,   0
 397 | VM OBJECT:              256,      0,    1188,     282,   13499,   0,   0
 398 | RADIX NODE:             144,      0,    2139,     264,   21550,   0,   0
 399 | MAP:                    240,      0,       3,      61,       3,   0,   0
 400 | KMAP ENTRY:             120,      0,       7,     257,       7,   0,   0
 401 | MAP ENTRY:              120,      0,     875,     775,   44076,   0,   0
 402 | VMSPACE:               2560,      0,      22,       8,     856,   0,   0
 403 | fakepg:                 104,      0,       0,       0,       0,   0,   0
 404 | 64 pcpu:                  8,      0,    2541,     275,    2541,   0,   0
 405 | mt_stats_zone:           64,      0,     352,     160,     352,   0,   0
 406 | mt_zone:                 24,      0,     352,     312,     352,   0,   0
 407 | 16:                      16,      0,       0,       0,       0,   0,   0
 408 | 32:                      32,      0,       0,       0,       0,   0,   0
 409 | 64:                      64,      0,       0,       0,       0,   0,   0
 410 | 128:                    128,      0,       0,       0,       0,   0,   0
 411 | 256:                    256,      0,       0,       0,       0,   0,   0
 412 | 512:                    512,      0,    7625,     152,   90390,   0,   0
 413 | 1024:                  1024,      0,     805,      63,    9141,   0,   0
 414 | 2048:                  2048,      0,      40,      12,     928,   0,   0
 415 | 4096:                  4096,      0,      32,      62,    5331,   0,   0
 416 | 8192:                  8192,      0,     243,       3,    2658,   0,   0
 417 | 16384:                16384,      0,      52,       0,     206,   0,   0
 418 | 32768:                32768,      0,       6,       1,      10,   0,   0
 419 | 65536:                65536,      0,      11,       2,      59,   0,   0
 420 | SLEEPQUEUE:              88,      0,     119,     160,     119,   0,   0
 421 | Files:                   80,      0,      73,     221,    7668,   0,   0
 422 | filedesc0:             1104,      0,      44,      19,     877,   0,   0
 423 | TURNSTILE:              136,      0,     119,      81,     119,   0,   0
 424 | rangeset pctrie nodes:    144,      0,       0,       0,       0,   0,   0
 425 | rl_entry:                40,      0,      33,     561,      33,   0,   0
 426 | umtx pi:                 96,      0,       0,       0,       0,   0,   0
 427 | umtx_shm:                88,      0,       0,       0,       0,   0,   0
 428 | MAC labels:              40,      0,       0,       0,       0,   0,   0
 429 | PROC:                  1328,      0,      43,      11,     876,   0,   0
 430 | THREAD:                1488,      0,     110,       8,     110,   0,   0
 431 | cpuset:                 104,      0,       7,     272,       7,   0,   0
 432 | domainset:               40,      0,       0,       0,       0,   0,   0
 433 | audit_record:          1280,      0,       0,       0,       0,   0,   0
 434 | mbuf_packet:            256, 809145,       0,     519,    1050,   0,   0
 435 | mbuf:                   256, 809145,    1066,    5778,   20317,   0,   0
 436 | mbuf_cluster:          2048, 126428,    1530,    1036,    3600,   0,   0
 437 | mbuf_jumbo_page:       4096,  63214,       0,       3,       5,   0,   0
 438 | mbuf_jumbo_9k:         9216,  56190,       0,       0,       0,   0,   0
 439 | mbuf_jumbo_16k:       16384,  42140,       0,       0,       0,   0,   0
 440 | epoch_record pcpu:      256,      0,       4,      60,       4,   0,   0
 441 | ttyoutq:                256,      0,      95,     100,     167,   0,   0
 442 | DMAR_MAP_ENTRY:         120,      0,       0,       0,       0,   0,   0
 443 | FPU_save_area:          832,      0,       0,       0,       0,   0,   0
 444 | ttyinq:                 160,      0,     180,      84,     315,   0,   0
 445 | nvme_request:           128,      0,       0,       0,       0,   0,   0
 446 | g_bio:                  400,      0,       0,     261,   11987,   0,   0
 447 | vtnet_tx_hdr:            24,      0,       0,       0,       0,   0,   0
 448 | cryptop:                128,      0,       0,       0,       0,   0,   0
 449 | cryptodesc:             120,      0,       0,       0,       0,   0,   0
 450 | crypto_session:          24,      0,       0,       0,       0,   0,   0
 451 | VNODE:                  480,      0,     778,      38,     817,   0,   0
 452 | VNODEPOLL:              120,      0,       0,       0,       0,   0,   0
 453 | BUF TRIE:               144,      0,     290,   13372,     706,   0,   0
 454 | S VFS Cache:            108,      0,     787,      88,    1980,   0,   0
 455 | STS VFS Cache:          148,      0,       0,       0,       0,   0,   0
 456 | L VFS Cache:            328,      0,       0,       0,       0,   0,   0
 457 | LTS VFS Cache:          368,      0,       0,       0,       0,   0,   0
 458 | NAMEI:                 1024,      0,       0,      40,   16529,   0,   0
 459 | rentr:                   24,      0,       0,     332,       1,   0,   0
 460 | NCLNODE:                592,      0,       0,       0,       0,   0,   0
 461 | DIRHASH:               1024,      0,      85,      19,      85,   0,   0
 462 | Mountpoints:           2744,      0,       3,       0,       3,   0,   0
 463 | procdesc:               136,      0,       1,      86,       2,   0,   0
 464 | AIO:                    208,      0,       0,       0,       0,   0,   0
 465 | AIOP:                    32,      0,       0,       0,       0,   0,   0
 466 | AIOCB:                  752,      0,       0,       0,       0,   0,   0
 467 | AIOLIO:                 280,      0,       0,       0,       0,   0,   0
 468 | pipe:                   760,      0,       3,      37,     309,   0,   0
 469 | ksiginfo:               112,      0,      39,    1011,     155,   0,   0
 470 | itimer:                 352,      0,       0,       0,       0,   0,   0
 471 | KNOTE:                  160,      0,       0,       0,       0,   0,   0
 472 | socket:                 872,  64880,      19,       9,    1381,   0,   0
 473 | ipq:                     56,   3976,       0,       0,       0,   0,   0
 474 | udp_inpcb:              488,  64880,       2,      62,      51,   0,   0
 475 | udpcb:                   32,  64976,       2,     618,      51,   0,   0
 476 | tcp_inpcb:              488,  64880,       4,      60,       6,   0,   0
 477 | tcpcb:                  976,  64880,       4,      24,       6,   0,   0
 478 | tcptw:                   88,  13005,       0,       0,       0,   0,   0
 479 | syncache:               168,  15364,       0,      69,       1,   0,   0
 480 | hostcache:               96,  15375,       0,       0,       0,   0,   0
 481 | sackhole:                32,      0,       0,       0,       0,   0,   0
 482 | tfo:                      4,      0,       0,       0,       0,   0,   0
 483 | tfo_ccache_entries:      80,      0,       0,       0,       0,   0,   0
 484 | tcpreass:                48,   7968,       0,       0,       0,   0,   0
 485 | tcp_log:                408, 1000008,       0,       0,       0,   0,   0
 486 | tcp_log_bucket:         144,      0,       0,       0,       0,   0,   0
 487 | tcp_log_node:           120,      0,       0,       0,       0,   0,   0
 488 | sctp_ep:               1280,  64881,       0,       0,       0,   0,   0
 489 | sctp_asoc:             2408,  40000,       0,       0,       0,   0,   0
 490 | sctp_laddr:              48,  80012,       0,     581,       3,   0,   0
 491 | sctp_raddr:             736,  80000,       0,       0,       0,   0,   0
 492 | sctp_chunk:             152, 400010,       0,       0,       0,   0,   0
 493 | sctp_readq:             152, 400010,       0,       0,       0,   0,   0
 494 | sctp_stream_msg_out:    112, 400015,       0,       0,       0,   0,   0
 495 | sctp_asconf:             40, 400059,       0,       0,       0,   0,   0
 496 | sctp_asconf_ack:         48, 400060,       0,       0,       0,   0,   0
 497 | udplite_inpcb:          488,  64880,       0,       0,       0,   0,   0
 498 | ripcb:                  488,  64880,       1,      31,       1,   0,   0
 499 | unpcb:                  256,  64890,      11,     124,    1311,   0,   0
 500 | IPsec SA lft_c:          16,      0,       0,       0,       0,   0,   0
 501 | rtentry:                208,      0,      11,     122,      14,   0,   0
 502 | selfd:                   64,      0,      30,     528,   19647,   0,   0
 503 | swpctrie:               144, 252882,       0,       0,       0,   0,   0
 504 | swblk:                  136, 252880,       0,       0,       0,   0,   0
 505 | FFS inode:              160,      0,     745,      71,     782,   0,   0
 506 | FFS1 dinode:            128,      0,       0,       0,       0,   0,   0
 507 | FFS2 dinode:            256,      0,     745,      50,     782,   0,   0
 508 | 
 509 | 
 510 | ------------------------------------------------------------------------
 511 | vmstat -i
 512 | 
 513 | interrupt                          total       rate
 514 | irq11: em0:irq0+++                  1743         82
 515 | irq14: ata0                         4910        231
 516 | cpu0:timer                         21539       1011
 517 | cpu1:timer                         35692       1676
 518 | Total                              63884       3000
 519 | 
 520 | ------------------------------------------------------------------------
 521 | pstat -T
 522 | 
 523 |  73/64879 files
 524 | 0M/0M swap space
 525 | 
 526 | ------------------------------------------------------------------------
 527 | pstat -s
 528 | 
 529 | Device          512-blocks     Used    Avail Capacity
 530 | 
 531 | ------------------------------------------------------------------------
 532 | iostat
 533 | 
 534 |        tty             md0             ada0              cd0             cpu
 535 |  tin  tout  KB/t tps  MB/s   KB/t tps  MB/s   KB/t tps  MB/s  us ni sy in id
 536 |    1     8  0.00   0  0.00  30.90   1  0.03   0.00   0  0.00   0  0  0  0 100
 537 | 
 538 | ------------------------------------------------------------------------
 539 | ipcs -a
 540 | 
 541 | Message Queues:
 542 | T           ID          KEY MODE        OWNER    GROUP    CREATOR  CGROUP                 CBYTES                 QNUM               QBYTES        LSPID        LRPID STIME    RTIME    CTIME   
 543 | 
 544 | Shared Memory:
 545 | T           ID          KEY MODE        OWNER    GROUP    CREATOR  CGROUP         NATTCH        SEGSZ         CPID         LPID ATIME    DTIME    CTIME   
 546 | 
 547 | Semaphores:
 548 | T           ID          KEY MODE        OWNER    GROUP    CREATOR  CGROUP          NSEMS OTIME    CTIME   
 549 | 
 550 | 
 551 | ------------------------------------------------------------------------
 552 | ipcs -T
 553 | 
 554 | msginfo:
 555 | 	msgmax:        16384	(max characters in a message)
 556 | 	msgmni:           40	(# of message queues)
 557 | 	msgmnb:         2048	(max characters in a message queue)
 558 | 	msgtql:           40	(max # of messages in system)
 559 | 	msgssz:            8	(size of a message segment)
 560 | 	msgseg:         2048	(# of message segments in system)
 561 | 
 562 | shminfo:
 563 | 	shmmax:    536870912	(max shared memory segment size)
 564 | 	shmmin:            1	(min shared memory segment size)
 565 | 	shmmni:          192	(max number of shared memory identifiers)
 566 | 	shmseg:          128	(max shared memory segments per process)
 567 | 	shmall:       131072	(max amount of shared memory in pages)
 568 | 
 569 | seminfo:
 570 | 	semmni:           50	(# of semaphore identifiers)
 571 | 	semmns:          340	(# of semaphores in system)
 572 | 	semmnu:          150	(# of undo structures in system)
 573 | 	semmsl:          340	(max # of semaphores per id)
 574 | 	semopm:          100	(max # of operations per semop call)
 575 | 	semume:           50	(max # of undo entries per process)
 576 | 	semusz:          632	(size in bytes of undo structure)
 577 | 	semvmx:        32767	(semaphore maximum value)
 578 | 	semaem:        16384	(adjust on exit max value)
 579 | 
 580 | 
 581 | ------------------------------------------------------------------------
 582 | nfsstat
 583 | 
 584 | Rpc Counts:
 585 |       Getattr      Setattr       Lookup     Readlink         Read        Write       Create       Remove
 586 |             0            0            0            0            0            0            0            0
 587 |        Rename         Link      Symlink        Mkdir        Rmdir      Readdir     RdirPlus       Access
 588 |             0            0            0            0            0            0            0            0
 589 |         Mknod       Fsstat       Fsinfo     PathConf       Commit
 590 |             0            0            0            0            0
 591 | Rpc Info:
 592 |      TimedOut      Invalid    X Replies      Retries     Requests
 593 |             0            0            0            0            0
 594 | Cache Info:
 595 |     Attr Hits  Attr Misses    Lkup Hits  Lkup Misses    BioR Hits  BioR Misses    BioW Hits  BioW Misses
 596 |             0            0            0            0            0            0            0            0
 597 |    BioRL Hits BioRL Misses    BioD Hits  BioD Misses    DirE Hits  DirE Misses    Accs Hits  Accs Misses
 598 |             0            0            0            0            0            0            0            0
 599 | Server Info:
 600 |       Getattr      Setattr       Lookup     Readlink         Read        Write       Create       Remove
 601 |             0            0            0            0            0            0            0            0
 602 |        Rename         Link      Symlink        Mkdir        Rmdir      Readdir     RdirPlus       Access
 603 |             0            0            0            0            0            0            0            0
 604 |         Mknod       Fsstat       Fsinfo     PathConf       Commit
 605 |             0            0            0            0            0
 606 | Server Re-Failed
 607 |                0
 608 | Server Faults
 609 |             0
 610 | Server Write 
 611 |      WriteOps     WriteRPC      Opsaved
 612 |             0            0            0
 613 | Server Cache 
 614 |        Inprog         Idem     Non-Idem       Misses
 615 |             0            0            0            0
 616 | 
 617 | ------------------------------------------------------------------------
 618 | netstat -s
 619 | 
 620 | tcp:
 621 | 	143 packets sent
 622 | 		140 data packets (28138 bytes)
 623 | 		0 data packets (0 bytes) retransmitted
 624 | 		0 data packets unnecessarily retransmitted
 625 | 		0 resends initiated by MTU discovery
 626 | 		3 ack-only packets (2 delayed)
 627 | 		0 URG only packets
 628 | 		0 window probe packets
 629 | 		0 window update packets
 630 | 		0 control packets
 631 | 	188 packets received
 632 | 		121 acks (for 28139 bytes)
 633 | 		0 duplicate acks
 634 | 		0 acks for unsent data
 635 | 		75 packets (7129 bytes) received in-sequence
 636 | 		0 completely duplicate packets (0 bytes)
 637 | 		0 old duplicate packets
 638 | 		0 packets with some dup. data (0 bytes duped)
 639 | 		0 out-of-order packets (0 bytes)
 640 | 		0 packets (0 bytes) of data after window
 641 | 		0 window probes
 642 | 		0 window update packets
 643 | 		0 packets received after close
 644 | 		0 discarded for bad checksums
 645 | 		0 discarded for bad header offset fields
 646 | 		0 discarded because packet too short
 647 | 		0 discarded due to memory problems
 648 | 	0 connection requests
 649 | 	1 connection accept
 650 | 	0 bad connection attempts
 651 | 	0 listen queue overflows
 652 | 	0 ignored RSTs in the windows
 653 | 	1 connection established (including accepts)
 654 | 		0 times used RTT from hostcache
 655 | 		0 times used RTT variance from hostcache
 656 | 		0 times used slow-start threshold from hostcache
 657 | 	2 connections closed (including 0 drops)
 658 | 		0 connections updated cached RTT on close
 659 | 		0 connections updated cached RTT variance on close
 660 | 		0 connections updated cached ssthresh on close
 661 | 	0 embryonic connections dropped
 662 | 	121 segments updated rtt (of 114 attempts)
 663 | 	0 retransmit timeouts
 664 | 		0 connections dropped by rexmit timeout
 665 | 	0 persist timeouts
 666 | 		0 connections dropped by persist timeout
 667 | 	0 Connections (fin_wait_2) dropped because of timeout
 668 | 	0 keepalive timeouts
 669 | 		0 keepalive probes sent
 670 | 		0 connections dropped by keepalive
 671 | 	110 correct ACK header predictions
 672 | 	65 correct data packet header predictions
 673 | 	1 syncache entry added
 674 | 		0 retransmitted
 675 | 		0 dupsyn
 676 | 		0 dropped
 677 | 		1 completed
 678 | 		0 bucket overflow
 679 | 		0 cache overflow
 680 | 		0 reset
 681 | 		0 stale
 682 | 		0 aborted
 683 | 		0 badack
 684 | 		0 unreach
 685 | 		0 zone failures
 686 | 	1 cookie sent
 687 | 	1 cookie received
 688 | 	0 hostcache entries added
 689 | 		0 bucket overflow
 690 | 	0 SACK recovery episodes
 691 | 	0 segment rexmits in SACK recovery episodes
 692 | 	0 byte rexmits in SACK recovery episodes
 693 | 	0 SACK options (SACK blocks) received
 694 | 	0 SACK options (SACK blocks) sent
 695 | 	0 SACK scoreboard overflow
 696 | 	0 packets with ECN CE bit set
 697 | 	0 packets with ECN ECT(0) bit set
 698 | 	0 packets with ECN ECT(1) bit set
 699 | 	0 successful ECN handshakes
 700 | 	0 times ECN reduced the congestion window
 701 | 	0 packets with matching signature received
 702 | 	0 packets with bad signature received
 703 | 	0 times failed to make signature due to no SA
 704 | 	0 times unexpected signature received
 705 | 	0 times no signature provided by segment
 706 | 	0 Path MTU discovery black hole detection activations
 707 | 	0 Path MTU discovery black hole detection min MSS activations
 708 | 	0 Path MTU discovery black hole detection failures
 709 | TCP connection count by state:
 710 | 	0 connections in CLOSED state
 711 | 	3 connections in LISTEN state
 712 | 	0 connections in SYN_SENT state
 713 | 	0 connections in SYN_RCVD state
 714 | 	1 connection  in ESTABLISHED state
 715 | 	0 connections in CLOSE_WAIT state
 716 | 	0 connections in FIN_WAIT_1 state
 717 | 	0 connections in CLOSING state
 718 | 	0 connections in LAST_ACK state
 719 | 	0 connections in FIN_WAIT_2 state
 720 | 	0 connections in TIME_WAIT state
 721 | udp:
 722 | 	6 datagrams received
 723 | 	0 with incomplete header
 724 | 	0 with bad data length field
 725 | 	0 with bad checksum
 726 | 	0 with no checksum
 727 | 	1 dropped due to no socket
 728 | 	2 broadcast/multicast datagrams undelivered
 729 | 	0 dropped due to full socket buffers
 730 | 	0 not for hashed pcb
 731 | 	3 delivered
 732 | 	3 datagrams output
 733 | 	0 times multicast source filter matched
 734 | ip:
 735 | 	195 total packets received
 736 | 	0 bad header checksums
 737 | 	0 with size smaller than minimum
 738 | 	0 with data size < data length
 739 | 	0 with ip length > max ip packet size
 740 | 	0 with header length < data size
 741 | 	0 with data length < header length
 742 | 	0 with bad options
 743 | 	0 with incorrect version number
 744 | 	0 fragments received
 745 | 	0 fragments dropped (dup or out of space)
 746 | 	0 fragments dropped after timeout
 747 | 	0 packets reassembled ok
 748 | 	194 packets for this host
 749 | 	0 packets for unknown/unsupported protocol
 750 | 	0 packets forwarded (0 packets fast forwarded)
 751 | 	1 packet not forwardable
 752 | 	0 packets received for unknown multicast group
 753 | 	0 redirects sent
 754 | 	149 packets sent from this host
 755 | 	1 packet sent with fabricated ip header
 756 | 	0 output packets dropped due to no bufs, etc.
 757 | 	0 output packets discarded due to no route
 758 | 	0 output datagrams fragmented
 759 | 	0 fragments created
 760 | 	0 datagrams that can't be fragmented
 761 | 	0 tunneling packets that can't find gif
 762 | 	0 datagrams with bad address in header
 763 | icmp:
 764 | 	1 call to icmp_error
 765 | 	0 errors not generated in response to an icmp message
 766 | 	Output histogram:
 767 | 		destination unreachable: 1
 768 | 	0 messages with bad code fields
 769 | 	0 messages less than the minimum length
 770 | 	0 messages with bad checksum
 771 | 	0 messages with bad length
 772 | 	0 multicast echo requests ignored
 773 | 	0 multicast timestamp requests ignored
 774 | 	0 message responses generated
 775 | 	0 invalid return addresses
 776 | 	0 no return routes
 777 | ipsec:
 778 | 	0 inbound packets violated process security policy
 779 | 	0 inbound packets failed due to insufficient memory
 780 | 	0 invalid inbound packets
 781 | 	0 outbound packets violated process security policy
 782 | 	0 outbound packets with no SA available
 783 | 	0 outbound packets failed due to insufficient memory
 784 | 	0 outbound packets with no route available
 785 | 	0 invalid outbound packets
 786 | 	0 outbound packets with bundled SAs
 787 | 	0 spd cache hits
 788 | 	0 spd cache misses
 789 | 	0 clusters copied during clone
 790 | 	0 mbufs inserted during makespace
 791 | ah:
 792 | 	0 packets shorter than header shows
 793 | 	0 packets dropped; protocol family not supported
 794 | 	0 packets dropped; no TDB
 795 | 	0 packets dropped; bad KCR
 796 | 	0 packets dropped; queue full
 797 | 	0 packets dropped; no transform
 798 | 	0 replay counter wraps
 799 | 	0 packets dropped; bad authentication detected
 800 | 	0 packets dropped; bad authentication length
 801 | 	0 possible replay packets detected
 802 | 	0 packets in
 803 | 	0 packets out
 804 | 	0 packets dropped; invalid TDB
 805 | 	0 bytes in
 806 | 	0 bytes out
 807 | 	0 packets dropped; larger than IP_MAXPACKET
 808 | 	0 packets blocked due to policy
 809 | 	0 crypto processing failures
 810 | 	0 tunnel sanity check failures
 811 | esp:
 812 | 	0 packets shorter than header shows
 813 | 	0 packets dropped; protocol family not supported
 814 | 	0 packets dropped; no TDB
 815 | 	0 packets dropped; bad KCR
 816 | 	0 packets dropped; queue full
 817 | 	0 packets dropped; no transform
 818 | 	0 packets dropped; bad ilen
 819 | 	0 replay counter wraps
 820 | 	0 packets dropped; bad encryption detected
 821 | 	0 packets dropped; bad authentication detected
 822 | 	0 possible replay packets detected
 823 | 	0 packets in
 824 | 	0 packets out
 825 | 	0 packets dropped; invalid TDB
 826 | 	0 bytes in
 827 | 	0 bytes out
 828 | 	0 packets dropped; larger than IP_MAXPACKET
 829 | 	0 packets blocked due to policy
 830 | 	0 crypto processing failures
 831 | 	0 tunnel sanity check failures
 832 | ipcomp:
 833 | 	0 packets shorter than header shows
 834 | 	0 packets dropped; protocol family not supported
 835 | 	0 packets dropped; no TDB
 836 | 	0 packets dropped; bad KCR
 837 | 	0 packets dropped; queue full
 838 | 	0 packets dropped; no transform
 839 | 	0 replay counter wraps
 840 | 	0 packets in
 841 | 	0 packets out
 842 | 	0 packets dropped; invalid TDB
 843 | 	0 bytes in
 844 | 	0 bytes out
 845 | 	0 packets dropped; larger than IP_MAXPACKET
 846 | 	0 packets blocked due to policy
 847 | 	0 crypto processing failures
 848 | 	0 packets sent uncompressed; size < compr. algo. threshold
 849 | 	0 packets sent uncompressed; compression was useless
 850 | arp:
 851 | 	3 ARP requests sent
 852 | 	4 ARP replies sent
 853 | 	17 ARP requests received
 854 | 	2 ARP replies received
 855 | 	19 ARP packets received
 856 | 	0 total packets dropped due to no ARP entry
 857 | 	1 ARP entry timed out
 858 | 	0 Duplicate IPs seen
 859 | ip6:
 860 | 	0 total packets received
 861 | 	0 with size smaller than minimum
 862 | 	0 with data size < data length
 863 | 	0 with bad options
 864 | 	0 with incorrect version number
 865 | 	0 fragments received
 866 | 	0 fragments dropped (dup or out of space)
 867 | 	0 fragments dropped after timeout
 868 | 	0 fragments that exceeded limit
 869 | 	0 packets reassembled ok
 870 | 	0 packets for this host
 871 | 	0 packets forwarded
 872 | 	0 packets not forwardable
 873 | 	0 redirects sent
 874 | 	0 packets sent from this host
 875 | 	0 packets sent with fabricated ip header
 876 | 	0 output packets dropped due to no bufs, etc.
 877 | 	0 output packets discarded due to no route
 878 | 	0 output datagrams fragmented
 879 | 	0 fragments created
 880 | 	0 datagrams that can't be fragmented
 881 | 	0 packets that violated scope rules
 882 | 	0 multicast packets which we don't join
 883 | 	Mbuf statistics:
 884 | 		0 one mbuf
 885 | 		0 one ext mbuf
 886 | 		0 two or more ext mbuf
 887 | 	0 packets whose headers are not contiguous
 888 | 	0 tunneling packets that can't find gif
 889 | 	0 packets discarded because of too many headers
 890 | 	0 failures of source address selection
 891 | icmp6:
 892 | 	0 calls to icmp6_error
 893 | 	0 errors not generated in response to an icmp6 message
 894 | 	0 errors not generated because of rate limitation
 895 | 	0 messages with bad code fields
 896 | 	0 messages < minimum length
 897 | 	0 bad checksums
 898 | 	0 messages with bad length
 899 | 	Histogram of error messages to be generated:
 900 | 		0 no route
 901 | 		0 administratively prohibited
 902 | 		0 beyond scope
 903 | 		0 address unreachable
 904 | 		0 port unreachable
 905 | 		0 packet too big
 906 | 		0 time exceed transit
 907 | 		0 time exceed reassembly
 908 | 		0 erroneous header field
 909 | 		0 unrecognized next header
 910 | 		0 unrecognized option
 911 | 		0 redirect
 912 | 		0 unknown
 913 | 	0 message responses generated
 914 | 	0 messages with too many ND options
 915 | 	0 messages with bad ND options
 916 | 	0 bad neighbor solicitation messages
 917 | 	0 bad neighbor advertisement messages
 918 | 	0 bad router solicitation messages
 919 | 	0 bad router advertisement messages
 920 | 	0 bad redirect messages
 921 | 	0 path MTU changes
 922 | ipsec6:
 923 | 	0 inbound packets violated process security policy
 924 | 	0 inbound packets failed due to insufficient memory
 925 | 	0 invalid inbound packets
 926 | 	0 outbound packets violated process security policy
 927 | 	0 outbound packets with no SA available
 928 | 	0 outbound packets failed due to insufficient memory
 929 | 	0 outbound packets with no route available
 930 | 	0 invalid outbound packets
 931 | 	0 outbound packets with bundled SAs
 932 | 	0 spd cache hits
 933 | 	0 spd cache misses
 934 | 	0 clusters copied during clone
 935 | 	0 mbufs inserted during makespace
 936 | rip6:
 937 | 	0 messages received
 938 | 	0 checksum calculations on inbound
 939 | 	0 messages with bad checksum
 940 | 	0 messages dropped due to no socket
 941 | 	0 multicast messages dropped due to no socket
 942 | 	0 messages dropped due to full socket buffers
 943 | 	0 delivered
 944 | 	0 datagrams output
 945 | pfkey:
 946 | 	0 requests sent from userland
 947 | 	0 bytes sent from userland
 948 | 	0 messages with invalid length field
 949 | 	0 messages with invalid version field
 950 | 	0 messages with invalid message type field
 951 | 	0 messages too short
 952 | 	0 messages with memory allocation failure
 953 | 	0 messages with duplicate extension
 954 | 	0 messages with invalid extension type
 955 | 	0 messages with invalid sa type
 956 | 	0 messages with invalid address extension
 957 | 	0 requests sent to userland
 958 | 	0 bytes sent to userland
 959 | 	0 messages toward single socket
 960 | 	0 messages toward all sockets
 961 | 	0 messages toward registered sockets
 962 | 	0 messages with memory allocation failure
 963 | 
 964 | ------------------------------------------------------------------------
 965 | netstat -m
 966 | 
 967 | 1066/6297/7363 mbufs in use (current/cache/total)
 968 | 1011/1555/2566/126428 mbuf clusters in use (current/cache/total/max)
 969 | 0/519 mbuf+clusters out of packet secondary zone in use (current/cache)
 970 | 0/3/3/63214 4k (page size) jumbo clusters in use (current/cache/total/max)
 971 | 0/0/0/56190 9k jumbo clusters in use (current/cache/total/max)
 972 | 0/0/0/42140 16k jumbo clusters in use (current/cache/total/max)
 973 | 2288K/4696K/6984K bytes allocated to network (current/cache/total)
 974 | 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
 975 | 0/0/0 requests for mbufs delayed (mbufs/clusters/mbuf+clusters)
 976 | 0/0/0 requests for jumbo clusters delayed (4k/9k/16k)
 977 | 0/0/0 requests for jumbo clusters denied (4k/9k/16k)
 978 | 0 sendfile syscalls
 979 | 0 sendfile syscalls completed without I/O request
 980 | 0 requests for I/O initiated by sendfile
 981 | 0 pages read by sendfile as part of a request
 982 | 0 pages were valid at time of a sendfile request
 983 | 0 pages were valid and substituted to bogus page
 984 | 0 pages were requested for read ahead by applications
 985 | 0 pages were read ahead by sendfile
 986 | 0 times sendfile encountered an already busy page
 987 | 0 requests for sfbufs denied
 988 | 0 requests for sfbufs delayed
 989 | 
 990 | ------------------------------------------------------------------------
 991 | netstat -anA
 992 | 
 993 | Active Internet connections (including servers)
 994 | Tcpcb            Proto Recv-Q Send-Q Local Address      Foreign Address    (state)    
 995 | fffff80002f1b3d0 udp4       0      0 *.514              *.*                
 996 | fffff80002dc2d58 udp6       0      0 *.514              *.*                
 997 | 
 998 | ------------------------------------------------------------------------
 999 | netstat -aL
1000 | 
1001 | Current listen queue sizes (qlen/incqlen/maxqlen)
1002 | Proto Listen                           Local Address         
1003 | 
1004 | ------------------------------------------------------------------------
1005 | fstat
1006 | 
1007 | fstat: can't read file 1 at 0x20007ffffffffff
1008 | fstat: can't read file 2 at 0x4000000001fffff
1009 | fstat: can't read file 1 at 0x20007ffffffffff
1010 | fstat: can't read file 2 at 0x4000000001fffff
1011 | fstat: can't read file 4 at 0x780000ffff
1012 | fstat: can't read file 5 at 0x200000000
1013 | fstat: can't read file 7 at 0x20007ffffffffff
1014 | fstat: can't read file 8 at 0x4000000001fffff
1015 | fstat: can't read file 10 at 0x780000ffff
1016 | fstat: can't read file 5 at 0xb800000001
1017 | fstat: can't read file 11 at 0x8c00000000
1018 | fstat: can't read file 17 at 0x8a00000000
1019 | fstat: can't read file 1 at 0x20007ffffffffff
1020 | fstat: can't read file 2 at 0x4000000001fffff
1021 | fstat: can't read file 4 at 0x780000ffff
1022 | fstat: can't read file 5 at 0x800000000
1023 | fstat: can't read file 7 at 0x20007ffffffffff
1024 | fstat: can't read file 8 at 0x4000000001fffff
1025 | fstat: can't read file 10 at 0x780000ffff
1026 | fstat: can't read file 1 at 0x20007ffffffffff
1027 | fstat: can't read file 2 at 0x4000000001fffff
1028 | fstat: can't read file 1 at 0x20007ffffffffff
1029 | fstat: can't read file 2 at 0x4000000001fffff
1030 | fstat: can't read file 1 at 0x20007ffffffffff
1031 | fstat: can't read file 2 at 0x4000000001fffff
1032 | fstat: can't read file 1 at 0x20007ffffffffff
1033 | fstat: can't read file 2 at 0x4000000001fffff
1034 | fstat: can't read file 1 at 0x20007ffffffffff
1035 | fstat: can't read file 2 at 0x4000000001fffff
1036 | fstat: can't read file 1 at 0x20007ffffffffff
1037 | fstat: can't read file 2 at 0x4000000001fffff
1038 | fstat: can't read file 1 at 0x20007ffffffffff
1039 | fstat: can't read file 2 at 0x4000000001fffff
1040 | fstat: can't read file 1 at 0x20007ffffffffff
1041 | fstat: can't read file 2 at 0x4000000001fffff
1042 | fstat: can't read file 1 at 0x20007ffffffffff
1043 | fstat: can't read file 2 at 0x4000000001fffff
1044 | fstat: can't read file 4 at 0x780000ffff
1045 | fstat: can't read file 1 at 0x20007ffffffffff
1046 | fstat: can't read file 2 at 0x4000000001fffff
1047 | fstat: can't read file 4 at 0x780000ffff
1048 | fstat: can't read file 1 at 0x20007ffffffffff
1049 | fstat: can't read file 2 at 0x4000000001fffff
1050 | fstat: can't read file 4 at 0x780000ffff
1051 | fstat: can't read file 5 at 0x600000000
1052 | fstat: can't read file 1 at 0x20007ffffffffff
1053 | fstat: can't read file 2 at 0x4000000001fffff
1054 | fstat: can't read file 4 at 0x780000ffff
1055 | fstat: can't read file 1 at 0x20007ffffffffff
1056 | fstat: can't read file 2 at 0x4000000001fffff
1057 | fstat: can't read file 4 at 0x780000ffff
1058 | fstat: can't read file 5 at 0x400000000
1059 | fstat: can't read file 7 at 0x20007ffffffffff
1060 | fstat: can't read file 8 at 0x4000000001fffff
1061 | fstat: can't read file 10 at 0x780000ffff
1062 | fstat: can't read file 11 at 0x400000000
1063 | fstat: can't read file 13 at 0x20007ffffffffff
1064 | fstat: can't read file 14 at 0x4000000001fffff
1065 | fstat: can't read file 16 at 0x780000ffff
1066 | fstat: can't read file 17 at 0x400000000
1067 | fstat: can't read file 19 at 0x20007ffffffffff
1068 | fstat: can't read file 20 at 0x4000000001fffff
1069 | fstat: can't read file 22 at 0x780000ffff
1070 | fstat: can't read file 23 at 0x2600000001
1071 | fstat: can't read file 1 at 0x20007ffffffffff
1072 | fstat: can't read file 2 at 0x4000000001fffff
1073 | fstat: can't read file 4 at 0x780000ffff
1074 | fstat: can't read file 5 at 0x800000000
1075 | fstat: can't read file 7 at 0x20007ffffffffff
1076 | fstat: can't read file 8 at 0x4000000001fffff
1077 | fstat: can't read file 1 at 0x200000000000000
1078 | fstat: can't read file 2 at 0x400000000000000
1079 | fstat: can't read file 5 at 0x800000000
1080 | fstat: can't read file 7 at 0x200000000000002
1081 | fstat: can't read file 8 at 0x400000000000000
1082 | fstat: can't read file 11 at 0x400000000
1083 | fstat: can't read file 1 at 0x20007ffffffffff
1084 | fstat: can't read file 2 at 0x4000000001fffff
1085 | fstat: can't read file 4 at 0x780000ffff
1086 | fstat: can't read file 5 at 0x800000000
1087 | fstat: can't read file 7 at 0x20007ffffffffff
1088 | fstat: can't read file 8 at 0x4000000001fffff
1089 | fstat: can't read file 10 at 0x780000ffff
1090 | fstat: can't read file 1 at 0x20007ffffffffff
1091 | fstat: can't read file 2 at 0x4000000001fffff
1092 | fstat: can't read file 4 at 0x780000ffff
1093 | fstat: can't read file 5 at 0x800000000
1094 | USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W
1095 | root     mount        876 root /             2 drwxr-xr-x    1024  r
1096 | root     mount        876   wd /        802560 drwxr-xr-x     512  r
1097 | root     mount        876 text /        1524919 -r-xr-xr-x   36216  r
1098 | root     mount        876 ctty /dev         85 crw--w----   pts/0 rw
1099 | root     mount        876    0 /dev         85 crw--w----   pts/0 rw
1100 | root     md0          875 root /             2 drwxr-xr-x    1024  r
1101 | root     md0          875   wd /             2 drwxr-xr-x    1024  r
1102 | root     sh           870 root /             2 drwxr-xr-x    1024  r
1103 | root     sh           870   wd /        802560 drwxr-xr-x     512  r
1104 | root     sh           870 text /        722328 -r-xr-xr-x  168968  r
1105 | root     sh           870 ctty /dev         85 crw--w----   pts/0 rw
1106 | root     sh           870    0 /dev         85 crw--w----   pts/0 rw
1107 | root     sh           870    6 /dev         85 crw--w----   pts/0 rw
1108 | root     csh          862 root /             2 drwxr-xr-x    1024  r
1109 | root     csh          862   wd /        802560 drwxr-xr-x     512  r
1110 | root     csh          862 text /        722330 -r-xr-xr-x  433232  r
1111 | root     csh          862 ctty /dev         85 crw--w----   pts/0 rw
1112 | root     sshd         859 root /             2 drwxr-xr-x    1024  r
1113 | root     sshd         859   wd /             2 drwxr-xr-x    1024  r
1114 | root     sshd         859 text /        481551 -r-xr-xr-x  311136  r
1115 | root     sshd         859    0 /dev         16 crw-rw-rw-    null rw
1116 | root     sshd         859    6 /dev         16 crw-rw-rw-    null rw
1117 | root     getty        783 root /             2 drwxr-xr-x    1024  r
1118 | root     getty        783   wd /             2 drwxr-xr-x    1024  r
1119 | root     getty        783 text /        485386 -r-xr-xr-x   36056  r
1120 | root     getty        783 ctty /dev         69 crw-------   ttyv7 rw
1121 | root     getty        783    0 /dev         69 crw-------   ttyv7 rw
1122 | root     getty        782 root /             2 drwxr-xr-x    1024  r
1123 | root     getty        782   wd /             2 drwxr-xr-x    1024  r
1124 | root     getty        782 text /        485386 -r-xr-xr-x   36056  r
1125 | root     getty        782 ctty /dev         68 crw-------   ttyv6 rw
1126 | root     getty        782    0 /dev         68 crw-------   ttyv6 rw
1127 | root     getty        781 root /             2 drwxr-xr-x    1024  r
1128 | root     getty        781   wd /             2 drwxr-xr-x    1024  r
1129 | root     getty        781 text /        485386 -r-xr-xr-x   36056  r
1130 | root     getty        781 ctty /dev         67 crw-------   ttyv5 rw
1131 | root     getty        781    0 /dev         67 crw-------   ttyv5 rw
1132 | root     getty        780 root /             2 drwxr-xr-x    1024  r
1133 | root     getty        780   wd /             2 drwxr-xr-x    1024  r
1134 | root     getty        780 text /        485386 -r-xr-xr-x   36056  r
1135 | root     getty        780 ctty /dev         66 crw-------   ttyv4 rw
1136 | root     getty        780    0 /dev         66 crw-------   ttyv4 rw
1137 | root     getty        779 root /             2 drwxr-xr-x    1024  r
1138 | root     getty        779   wd /             2 drwxr-xr-x    1024  r
1139 | root     getty        779 text /        485386 -r-xr-xr-x   36056  r
1140 | root     getty        779 ctty /dev         65 crw-------   ttyv3 rw
1141 | root     getty        779    0 /dev         65 crw-------   ttyv3 rw
1142 | root     getty        778 root /             2 drwxr-xr-x    1024  r
1143 | root     getty        778   wd /             2 drwxr-xr-x    1024  r
1144 | root     getty        778 text /        485386 -r-xr-xr-x   36056  r
1145 | root     getty        778 ctty /dev         64 crw-------   ttyv2 rw
1146 | root     getty        778    0 /dev         64 crw-------   ttyv2 rw
1147 | root     getty        777 root /             2 drwxr-xr-x    1024  r
1148 | root     getty        777   wd /             2 drwxr-xr-x    1024  r
1149 | root     getty        777 text /        485386 -r-xr-xr-x   36056  r
1150 | root     getty        777 ctty /dev         63 crw-------   ttyv1 rw
1151 | root     getty        777    0 /dev         63 crw-------   ttyv1 rw
1152 | root     getty        776 root /             2 drwxr-xr-x    1024  r
1153 | root     getty        776   wd /             2 drwxr-xr-x    1024  r
1154 | root     getty        776 text /        485386 -r-xr-xr-x   36056  r
1155 | root     getty        776 ctty /dev         62 crw-------   ttyv0 rw
1156 | root     getty        776    0 /dev         62 crw-------   ttyv0 rw
1157 | root     cron         726 root /             2 drwxr-xr-x    1024  r
1158 | root     cron         726   wd /        722306 drwxr-x---     512  r
1159 | root     cron         726 text /        481657 -r-xr-xr-x   52304  r
1160 | root     cron         726    0 /dev         16 crw-rw-rw-    null rw
1161 | smmsp    sendmail     722 root /             2 drwxr-xr-x    1024  r
1162 | smmsp    sendmail     722   wd /        802569 drwxrwx---     512  r
1163 | smmsp    sendmail     722 text /        570832 -r-xr-sr-x  740544  r
1164 | smmsp    sendmail     722    0 /dev         16 crw-rw-rw-    null  r
1165 | root     sendmail     719 root /             2 drwxr-xr-x    1024  r
1166 | root     sendmail     719   wd /        802565 drwxr-xr-x     512  r
1167 | root     sendmail     719 text /        570832 -r-xr-sr-x  740544  r
1168 | root     sendmail     719    0 /dev         16 crw-rw-rw-    null  r
1169 | root     sshd         716 root /             2 drwxr-xr-x    1024  r
1170 | root     sshd         716   wd /             2 drwxr-xr-x    1024  r
1171 | root     sshd         716 text /        481551 -r-xr-xr-x  311136  r
1172 | root     sshd         716    0 /dev         16 crw-rw-rw-    null rw
1173 | root     syslogd      591 root /             2 drwxr-xr-x    1024  r
1174 | root     syslogd      591   wd /             2 drwxr-xr-x    1024  r
1175 | root     syslogd      591 text /        481682 -r-xr-xr-x   56544  r
1176 | root     syslogd      591    0 /dev         16 crw-rw-rw-    null rw
1177 | root     syslogd      591    6 /dev         16 crw-rw-rw-    null rw
1178 | root     syslogd      591   12 /dev         16 crw-rw-rw-    null rw
1179 | root     syslogd      591   18* pipe fffff80002dd82f8 <-> fffff80002dd8460      0 rw
1180 | root     devd         448 root /             2 drwxr-xr-x    1024  r
1181 | root     devd         448   wd /             2 drwxr-xr-x    1024  r
1182 | root     devd         448 text /        1524942 -r-xr-xr-x  968904  r
1183 | root     devd         448    0 /dev         16 crw-rw-rw-    null rw
1184 | root     devd         448    6 /dev         16 crw-rw-rw-    null rw
1185 | _dhcp    dhclient     447 root /             2 drwxr-xr-x    1024  r
1186 | _dhcp    dhclient     447   wd /             2 drwxr-xr-x    1024  r
1187 | _dhcp    dhclient     447 text /        1524929 -r-xr-xr-x  106880  r
1188 | _dhcp    dhclient     447    0 /dev         16 crw-rw-rw-    null rw
1189 | _dhcp    dhclient     447    6 /dev         16 crw-rw-rw-    null rw
1190 | root     dhclient     400 root /             2 drwxr-xr-x    1024  r
1191 | root     dhclient     400   wd /             2 drwxr-xr-x    1024  r
1192 | root     dhclient     400 text /        1524929 -r-xr-xr-x  106880  r
1193 | root     dhclient     400    0 /dev         16 crw-rw-rw-    null rw
1194 | root     dhclient     400    6 /dev         16 crw-rw-rw-    null rw
1195 | root     dhclient     397 root /             2 drwxr-xr-x    1024  r
1196 | root     dhclient     397   wd /             2 drwxr-xr-x    1024  r
1197 | root     dhclient     397 text /        1524929 -r-xr-xr-x  106880  r
1198 | root     dhclient     397    0 /dev         16 crw-rw-rw-    null rw
1199 | root     dhclient     397    6 /dev         16 crw-rw-rw-    null rw
1200 | root     init           1 root /             2 drwxr-xr-x    1024  r
1201 | root     init           1   wd /             2 drwxr-xr-x    1024  r
1202 | root     init           1 text /        1524881 -r-xr-xr-x  1248816  r
1203 | root     kernel         0 root /             2 drwxr-xr-x    1024  r
1204 | root     kernel         0   wd /             2 drwxr-xr-x    1024  r
1205 | 
1206 | ------------------------------------------------------------------------
1207 | dmesg
1208 | 
1209 | ---<<BOOT>>---
1210 | Copyright (c) 1992-2019 The FreeBSD Project.
1211 | Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
1212 | 	The Regents of the University of California. All rights reserved.
1213 | FreeBSD is a registered trademark of The FreeBSD Foundation.
1214 | FreeBSD 12.1-RELEASE GENERIC amd64
1215 | FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1)
1216 | WARNING: DIAGNOSTIC option enabled, expect reduced performance.
1217 | Entering uma_startup with 6 boot pages configured
1218 | startup_alloc from "UMA Kegs", 5 boot pages left
1219 | startup_alloc from "UMA Zones", 4 boot pages left
1220 | startup_alloc from "UMA Zones", 3 boot pages left
1221 | startup_alloc from "UMA Hash", 2 boot pages left
1222 | startup_alloc from "UMA Zones", 1 boot pages left
1223 | Entering uma_startup1 with 0 boot pages left
1224 | Entering uma_startup2 with 0 boot pages left
1225 | VT(vga): text 80x25
1226 | CPU: Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS) (3400.05-MHz K8-class CPU)
1227 |   Origin="GenuineIntel"  Id=0x306a9  Family=0x6  Model=0x3a  Stepping=9
1228 |   Features=0x783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2>
1229 |   Features2=0xffb82203<SSE3,PCLMULQDQ,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV>
1230 |   AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
1231 |   AMD Features2=0x1<LAHF>
1232 |   Structured Extended Features=0x281<FSGSBASE,SMEP,ERMS>
1233 |   Structured Extended Features3=0x4000000<IBPB>
1234 |   XSAVE Features=0x1<XSAVEOPT>
1235 | Hypervisor: Origin = "KVMKVMKVM"
1236 | real memory  = 2147483648 (2048 MB)
1237 | avail memory = 2061807616 (1966 MB)
1238 | Event timer "LAPIC" quality 600
1239 | ACPI APIC Table: <BOCHS  BXPCAPIC>
1240 | FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
1241 | FreeBSD/SMP: 2 package(s) x 1 core(s)
1242 | random: unblocking device.
1243 | ioapic0 <Version 1.1> irqs 0-23 on motherboard
1244 | Launching APs: 1
1245 | random: entropy device external interface
1246 | 000.000019 [4335] netmap_init               netmap: loaded module
1247 | module_register_init: MOD_LOAD (vesa, 0xffffffff809dab90, 0) error 19
1248 | random: registering fast source Intel Secure Key RNG
1249 | random: fast provider: "Intel Secure Key RNG"
1250 | nexus0
1251 | vtvga0: <VT VGA driver> on motherboard
1252 | cryptosoft0: <software crypto> on motherboard
1253 | acpi0: <BOCHS BXPCRSDT> on motherboard
1254 | acpi0: Power Button (fixed)
1255 | cpu0: <ACPI CPU> on acpi0
1256 | atrtc0: <AT realtime clock> port 0x70-0x71,0x72-0x77 irq 8 on acpi0
1257 | atrtc0: registered as a time-of-day clock, resolution 1.000000s
1258 | Event timer "RTC" frequency 32768 Hz quality 0
1259 | Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
1260 | acpi_timer0: <24-bit timer at 3.579545MHz> port 0x608-0x60b on acpi0
1261 | pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
1262 | pci0: <ACPI PCI bus> on pcib0
1263 | isab0: <PCI-ISA bridge> at device 1.0 on pci0
1264 | isa0: <ISA bus> on isab0
1265 | atapci0: <Intel PIIX3 WDMA2 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xc120-0xc12f at device 1.1 on pci0
1266 | ata0: <ATA channel> at channel 0 on atapci0
1267 | ata1: <ATA channel> at channel 1 on atapci0
1268 | pci0: <bridge> at device 1.3 (no driver attached)
1269 | vgapci0: <VGA-compatible display> port 0xc080-0xc09f mem 0xf4000000-0xf7ffffff,0xf8000000-0xfbffffff,0xfc0b4000-0xfc0b5fff irq 10 at device 2.0 on pci0
1270 | vgapci0: Boot video device
1271 | em0: <Intel(R) PRO/1000 Network Connection> port 0xc000-0xc03f mem 0xfc080000-0xfc09ffff irq 11 at device 3.0 on pci0
1272 | em0: Using 1024 TX descriptors and 1024 RX descriptors
1273 | em0: Ethernet address: 52:54:00:78:91:27
1274 | em0: netmap queues/slots: TX 1/1024, RX 1/1024
1275 | pci0: <multimedia, HDA> at device 4.0 (no driver attached)
1276 | uhci0: <Intel 82801I (ICH9) USB controller> port 0xc0a0-0xc0bf irq 10 at device 5.0 on pci0
1277 | usbus0 on uhci0
1278 | usbus0: 12Mbps Full Speed USB v1.0
1279 | uhci1: <Intel 82801I (ICH9) USB controller> port 0xc0c0-0xc0df irq 10 at device 5.1 on pci0
1280 | usbus1 on uhci1
1281 | usbus1: 12Mbps Full Speed USB v1.0
1282 | uhci2: <Intel 82801I (ICH9) USB controller> port 0xc0e0-0xc0ff irq 11 at device 5.2 on pci0
1283 | usbus2 on uhci2
1284 | usbus2: 12Mbps Full Speed USB v1.0
1285 | ehci0: <Intel 82801I (ICH9) USB 2.0 controller> mem 0xfc0b6000-0xfc0b6fff irq 11 at device 5.7 on pci0
1286 | usbus3: EHCI version 1.0
1287 | usbus3 on ehci0
1288 | usbus3: 480Mbps High Speed USB v2.0
1289 | virtio_pci0: <VirtIO PCI Console adapter> port 0xc040-0xc07f mem 0xfc0b7000-0xfc0b7fff,0xfebf8000-0xfebfbfff irq 10 at device 6.0 on pci0
1290 | virtio_pci1: <VirtIO PCI Balloon adapter> port 0xc100-0xc11f mem 0xfebfc000-0xfebfffff irq 11 at device 7.0 on pci0
1291 | vtballoon0: <VirtIO Balloon Adapter> on virtio_pci1
1292 | acpi_syscontainer0: <System Container> on acpi0
1293 | acpi_syscontainer1: <System Container> port 0xaf00-0xaf0b on acpi0
1294 | acpi_syscontainer2: <System Container> port 0xafe0-0xafe3 on acpi0
1295 | acpi_syscontainer3: <System Container> port 0xae00-0xae13 on acpi0
1296 | orm0: <ISA Option ROMs> at iomem 0xc0000-0xc97ff,0xec800-0xeffff pnpid ORM0000 on isa0
1297 | vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff pnpid PNP0900 on isa0
1298 | attimer0: <AT timer> at port 0x40 on isa0
1299 | Timecounter "i8254" frequency 1193182 Hz quality 0
1300 | Event timer "i8254" frequency 1193182 Hz quality 100
1301 | attimer0: non-PNP ISA device will be removed from GENERIC in FreeBSD 12.
1302 | NULL mp in getnewvnode(9), tag crossmp
1303 | Timecounters tick every 10.000 msec
1304 | ugen2.1: <Intel UHCI root HUB> at usbus2
1305 | ugen3.1: <Intel EHCI root HUB> at usbus3
1306 | uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
1307 | uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
1308 | ugen1.1: <Intel UHCI root HUB> at usbus1
1309 | uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
1310 | ugen0.1: <Intel UHCI root HUB> at usbus0
1311 | uhub3: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
1312 | ada0 at ata0 bus 0 scbus0 target 0 lun 0
1313 | ada0: <QEMU HARDDISK 2.5+> ATA-7 device
1314 | ada0: Serial Number QM00001
1315 | ada0: 16.700MB/s transfers (WDMA2, PIO 8192bytes)
1316 | ada0: 15360MB (31457280 512 byte sectors)
1317 | cd0 at ata0 bus 0 scbus0 target 1 lun 0
1318 | cd0: <QEMU QEMU DVD-ROM 2.5+> Removable CD-ROM SCSI device
1319 | cd0: Serial Number QM00002
1320 | cd0: 16.700MB/s transfers (WDMA2, ATAPI 12bytes, PIO 65534bytes)
1321 | cd0: Attempt to query device size failed: NOT READY, Medium not present
1322 | WARNING: DIAGNOSTIC option enabled, expect reduced performance.
1323 | Trying to mount root from ufs:/dev/ada0s1a [rw]...
1324 | Expensive timeout(9) function: 0xffffffff8051acf0(0xffffffff80c7c0b0) 0.005778946 s
1325 | WARNING: / was not properly dismounted
1326 | Setting hostuuid: 6937f3f9-eb44-4c40-9be8-f151db2f95cd.
1327 | Setting hostid: 0xe2a30ef9.
1328 | Starting file system checks:
1329 | ** SU+J Recovering /dev/ada0s1a
1330 | ** Reading 33554432 byte journal from inode 4.
1331 | ** Building recovery table.
1332 | ** Resolving unreferenced inode list.
1333 | ** Processing journal entries.
1334 | uhub0: 2 ports with 2 removable, self powered
1335 | ** 100 journal records in 6656 bytes for 48.08% utilization
1336 | ** Freed 30 inodes (9 dirs) 0 blocks, and 5 frags.
1337 | 
1338 | ***** FILE SYSTEM MARKED CLEAN *****
1339 | uhub2: 2 ports with 2 removable, self powered
1340 | uhub3: 2 ports with 2 removable, self powered
1341 | Mounting local filesystems:.
1342 | ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/e2fsprogs /usr/local/lib/perl5/5.30/mach/CORE
1343 | 32-bit compatibility ldconfig path: /usr/lib32
1344 | Setting up harvesting: PURE_RDRAND,[UMA],[FS_ATIME],SWI,INTERRUPT,NET_NG,NET_ETHER,NET_TUN,MOUSE,KEYBOARD,ATTACH,CACHED
1345 | Feeding entropy: .
1346 | lo0: link state changed to UP
1347 | uhub1: 6 ports with 6 removable, self powered
1348 | em0: link state changed to UP
1349 | Starting Network: lo0 em0.
1350 | lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
1351 | 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
1352 | 	inet6 ::1 prefixlen 128
1353 | 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
1354 | 	inet 127.0.0.1 netmask 0xff000000
1355 | 	groups: lo
1356 | 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
1357 | em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
1358 | 	options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
1359 | 	ether 52:54:00:78:91:27
1360 | 	media: Ethernet autoselect (1000baseT <full-duplex>)
1361 | 	status: active
1362 | 	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
1363 | Starting devd.
1364 | Autoloading module: intpm.ko
1365 | intsmb0: <Intel PIIX4 SMBUS Interface> irq 9 at device 1.3 on pci0
1366 | intsmb0: intr IRQ 9 enabled revision 0
1367 | smbus0: <System Management Bus> on intsmb0
1368 | Starting dhclient.
1369 | DHCPREQUEST on em0 to 255.255.255.255 port 67
1370 | DHCPACK from 192.168.122.1
1371 | if_delmulti_locked: detaching ifnet instance 0xfffff80002405800
1372 | bound to 192.168.122.232 -- renewal in 1800 seconds.
1373 | add host 127.0.0.1: gateway lo0 fib 0: route already in table
1374 | add host ::1: gateway lo0 fib 0: route already in table
1375 | add net fe80::: gateway ::1
1376 | add net ff02::: gateway ::1
1377 | add net ::ffff:0.0.0.0: gateway ::1
1378 | add net ::0.0.0.0: gateway ::1
1379 | Creating and/or trimming log files.
1380 | Starting syslogd.
1381 | No core dumps found.
1382 | Clearing /tmp (X related).
1383 | Updating motd:.
1384 | Mounting late filesystems:.
1385 | Configuring vt: keymap blanktime.
1386 | Performing sanity check on sshd configuration.
1387 | Starting sshd.
1388 | Starting sendmail_submit.
1389 | Starting sendmail_msp_queue.
1390 | Starting cron.
1391 | Starting background file system checks in 60 seconds.
1392 | 
1393 | Mon Apr  6 11:53:14 CEST 2020
1394 | WARNING: /mnt/tc: GJOURNAL flag on fs but no gjournal provider below
1395 | WARNING: /mnt/tc: NFSv4 ACLs flag on fs conflicts with "acls" mount option; option ignored
1396 | Failed to find journal.  Use tunefs to create one
1397 | Failed to start journal: 22
1398 | panic: hashdestroy: hashtbl 0xfffffe001b271000 not empty (malloc type inodedep)
1399 | cpuid = 1
1400 | time = 1586169731
1401 | KDB: stack backtrace:
1402 | #0 0xffffffff806d65a7 at kdb_backtrace+0x67
1403 | #1 0xffffffff8068d84d at vpanic+0x19d
1404 | #2 0xffffffff8068d633 at panic+0x43
1405 | #3 0xffffffff806d54c7 at hashdestroy+0x47
1406 | #4 0xffffffff8092ef90 at softdep_unmount+0x260
1407 | #5 0xffffffff8092ecff at softdep_mount+0xa8f
1408 | #6 0xffffffff8094a1a1 at ffs_mount+0x1a61
1409 | #7 0xffffffff8074e2a3 at vfs_domount+0x733
1410 | #8 0xffffffff8074d577 at vfs_donmount+0x7e7
1411 | #9 0xffffffff8074cd61 at sys_nmount+0x71
1412 | #10 0xffffffff809ca547 at amd64_syscall+0x277
1413 | #11 0xffffffff809a27b0 at fast_syscall_common+0x101
1414 | Uptime: 49m4s
1415 | Dumping 129 out of 2027 MB:..13%..25%..38%..50%..62%..75%..87%..99%
1416 | 
1417 | ------------------------------------------------------------------------
1418 | kernel config
1419 | 
1420 | options	CONFIG_AUTOGENERATED
1421 | ident	GENERIC
1422 | machine	amd64
1423 | cpu	HAMMER
1424 | makeoptions	WITH_CTF=1
1425 | makeoptions	DEBUG=-g
1426 | options	EVDEV_SUPPORT
1427 | options	XENHVM
1428 | options	USB_DEBUG
1429 | options	SC_PIXEL_MODE
1430 | options	VESA
1431 | options	PCI_IOV
1432 | options	PCI_HP
1433 | options	ACPI_DMAR
1434 | options	EARLY_AP_STARTUP
1435 | options	SMP
1436 | options	NETDUMP
1437 | options	ZSTDIO
1438 | options	GZIO
1439 | options	EKCD
1440 | options	DEBUG_REDZONE
1441 | options	DIAGNOSTIC
1442 | options	INVARIANT_SUPPORT
1443 | options	INVARIANTS
1444 | options	KDB_TRACE
1445 | options	KDB
1446 | options	RCTL
1447 | options	RACCT_DEFAULT_TO_DISABLED
1448 | options	RACCT
1449 | options	INCLUDE_CONFIG_FILE
1450 | options	DDB_CTF
1451 | options	KDTRACE_HOOKS
1452 | options	KDTRACE_FRAME
1453 | options	MAC
1454 | options	CAPABILITIES
1455 | options	CAPABILITY_MODE
1456 | options	AUDIT
1457 | options	HWPMC_HOOKS
1458 | options	KBD_INSTALL_CDEV
1459 | options	PRINTF_BUFR_SIZE=128
1460 | options	_KPOSIX_PRIORITY_SCHEDULING
1461 | options	SYSVSEM
1462 | options	SYSVMSG
1463 | options	SYSVSHM
1464 | options	STACK
1465 | options	KTRACE
1466 | options	SCSI_DELAY=5000
1467 | options	COMPAT_FREEBSD11
1468 | options	COMPAT_FREEBSD10
1469 | options	COMPAT_FREEBSD9
1470 | options	COMPAT_FREEBSD7
1471 | options	COMPAT_FREEBSD6
1472 | options	COMPAT_FREEBSD5
1473 | options	COMPAT_FREEBSD4
1474 | options	COMPAT_FREEBSD32
1475 | options	EFIRT
1476 | options	GEOM_LABEL
1477 | options	GEOM_RAID
1478 | options	PSEUDOFS
1479 | options	PROCFS
1480 | options	CD9660
1481 | options	MSDOSFS
1482 | options	NFS_ROOT
1483 | options	NFSLOCKD
1484 | options	NFSD
1485 | options	NFSCL
1486 | options	MD_ROOT
1487 | options	QUOTA
1488 | options	UFS_GJOURNAL
1489 | options	UFS_DIRHASH
1490 | options	UFS_ACL
1491 | options	SOFTUPDATES
1492 | options	FFS
1493 | options	SCTP
1494 | options	TCP_RFC7413
1495 | options	TCP_HHOOK
1496 | options	TCP_BLACKBOX
1497 | options	TCP_OFFLOAD
1498 | options	IPSEC_SUPPORT
1499 | options	IPSEC
1500 | options	INET6
1501 | options	INET
1502 | options	VIMAGE
1503 | options	PREEMPTION
1504 | options	NUMA
1505 | options	SCHED_ULE
1506 | options	NEW_PCIB
1507 | options	GEOM_PART_GPT
1508 | options	GEOM_PART_MBR
1509 | options	GEOM_PART_EBR_COMPAT
1510 | options	GEOM_PART_EBR
1511 | options	GEOM_PART_BSD
1512 | device	isa
1513 | device	mem
1514 | device	io
1515 | device	uart_ns8250
1516 | device	cpufreq
1517 | device	acpi
1518 | device	pci
1519 | device	ahci
1520 | device	ata
1521 | device	mvs
1522 | device	siis
1523 | device	scbus
1524 | device	ch
1525 | device	da
1526 | device	sa
1527 | device	cd
1528 | device	pass
1529 | device	ses
1530 | device	nvme
1531 | device	nvd
1532 | device	vga
1533 | device	splash
1534 | device	sc
1535 | device	vt
1536 | device	vt_vga
1537 | device	vt_efifb
1538 | device	agp
1539 | device	ppc
1540 | device	ppbus
1541 | device	ppi
1542 | device	iflib
1543 | device	em
1544 | device	crypto
1545 | device	loop
1546 | device	random
1547 | device	padlock_rng
1548 | device	rdrand_rng
1549 | device	ether
1550 | device	vlan
1551 | device	tun
1552 | device	md
1553 | device	gif
1554 | device	firmware
1555 | device	bpf
1556 | device	uhci
1557 | device	ohci
1558 | device	ehci
1559 | device	xhci
1560 | device	usb
1561 | device	ukbd
1562 | device	umass
1563 | device	virtio
1564 | device	virtio_pci
1565 | device	vtnet
1566 | device	virtio_blk
1567 | device	virtio_scsi
1568 | device	virtio_balloon
1569 | device	hyperv
1570 | device	xenpci
1571 | device	netmap
1572 | device	evdev
1573 | device	uinput
1574 | 
1575 | ------------------------------------------------------------------------
1576 | ddb capture buffer
1577 | 
1578 | ddb: ddb_capture: kvm_nlist
1579 | 


--------------------------------------------------------------------------------
/testcases/core_features/extract_core_features.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import hashlib
 4 | import re
 5 | import sys
 6 | 
 7 | 
 8 | def get_panic_name(data):
 9 |     return str(data).split('panic:')[1].split(':')[0].split('(')[0].split('bp')[0].split('fip')[0].split('\\')[0].split(
10 |         ', addr:')[0].strip().replace(' ', '_').split('_/')[0]
11 | 
12 | 
13 | def get_core_details(data):
14 |     full_strace = str(data).split('KDB: stack backtrace:')[1].split('--- syscall')[0].split('Uptime')[0].replace('\\',
15 |                                                                                                                  '\n').replace(
16 |         '\nn', '\n').strip()
17 |     clean_strace = ''
18 |     for line in full_strace.split('\n'):
19 |         if re.match(r'---\strap\s', line):
20 |             continue
21 |         if re.match(r'#[0-9]{1,3}\s0x[0-9a-f]{0,16}\sat\s', line):
22 |             clean_strace += line.split(' at ')[1] + '\n'
23 |         else:
24 |             clean_strace += line.split('/frame')[0] + '\n'
25 |     return clean_strace
26 | 
27 | 
28 | def get_sha256_sum(sanitized_stack_trace):
29 |     return hashlib.sha256(sanitized_stack_trace.encode()).hexdigest()
30 | 
31 | 
32 | def get_md5_sum(sanitized_stack_trace):
33 |     return hashlib.md5(sanitized_stack_trace.encode()).hexdigest()
34 | 
35 | 
36 | def main():
37 |     if len(sys.argv) != 2:
38 |         print(f'Usage: {sys.argv[0]} <core.txt>')
39 |         sys.exit(-1)
40 |     with open(sys.argv[1], 'rb') as f:
41 |         data = f.read()
42 | 
43 |     clean_stack_trace = get_core_details(data)
44 |     print(clean_stack_trace)
45 |     print('-' * 80)
46 |     print(f'MD5:    {get_md5_sum(clean_stack_trace)}')
47 |     print(f'SHA256: {get_sha256_sum(clean_stack_trace)}')
48 | 
49 | 
50 | if __name__ == '__main__':
51 |     sys.exit(main())
52 | 


--------------------------------------------------------------------------------
/testcases/poc_1/README.md:
--------------------------------------------------------------------------------
1 | just a standard ufs2 file system with no modifications done
2 | 


--------------------------------------------------------------------------------
/testcases/poc_1/poc1_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_1/poc1_ufs2


--------------------------------------------------------------------------------
/testcases/poc_2/README.md:
--------------------------------------------------------------------------------
1 | injected a custom value into the "last mounted at" field of the superblock, as seen in the "file" output
2 | 


--------------------------------------------------------------------------------
/testcases/poc_2/poc2_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_2/poc2_ufs2


--------------------------------------------------------------------------------
/testcases/poc_3/README.md:
--------------------------------------------------------------------------------
1 | Overwritten magic bytes
2 | 
3 | 


--------------------------------------------------------------------------------
/testcases/poc_3/poc3_all_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_3/poc3_all_ufs2


--------------------------------------------------------------------------------
/testcases/poc_3/poc3_sb0_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_3/poc3_sb0_ufs2


--------------------------------------------------------------------------------
/testcases/poc_3/poc3_sb1_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_3/poc3_sb1_ufs2


--------------------------------------------------------------------------------
/testcases/poc_3/poc3_sb2_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_3/poc3_sb2_ufs2


--------------------------------------------------------------------------------
/testcases/poc_4/poc4_ufs2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_4/poc4_ufs2


--------------------------------------------------------------------------------
/testcases/poc_5/poc5_ext:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_5/poc5_ext


--------------------------------------------------------------------------------
/testcases/poc_5/poc5_ufs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_5/poc5_ufs


--------------------------------------------------------------------------------
/testcases/poc_6/PoC.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 | 
3 | mkdir /mnt/radamsa_fs_fuzz1_ufs_15MB
4 | mdconfig -a -t vnode -f radamsa_fs_fuzz1_ufs_15MB
5 | echo "[!] Mounting..."
6 | mount -t ufs /dev/md0 /mnt/radamsa_fs_fuzz1_ufs_15MB
7 | 
8 | 


--------------------------------------------------------------------------------
/testcases/poc_6/poc6_ufs2_nd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xricksanchez/HITB2020_FSFUZZER/a84738f6c9e9ceca5dc38171ddbcf366c85132e3/testcases/poc_6/poc6_ufs2_nd


--------------------------------------------------------------------------------