The fail0verflow team features an old bug in the FreeBSD system discovered in 2020 by a computer genius whose name is not known, finding it in just 15 minutes.

Following this discovery, a C++ code was developed to improve the reliability of exploits, as the PlayStation 5 kernel had introduced random memory functions.
To work on the bug, you need to configure a virtual machine (VM) with FreeBSD 11.0. The VM image can be downloaded from an online archive, and SSH must be enabled on the VM by adding a user and editing the configuration file to start the SSH service.
To rebuild the kernel with debugging support, you need to work directly on the VM, as FreeBSD’s 11.0 version is not compatible with non-FreeBSD systems.
The kernel is retread by removing the DDB option and adding the GDB option in the configuration. After compiling and installing the kernel, the machine is restarted and the kernel debugging file is extracted to be used with GDB.
The next step is to set up GDB to debug the kernel. The FreeBSD kernel source code is cloned and GDB is recompiled with support for FreeBSD.
Once this is done, you can start the kernel debugging by connecting to the virtual machine, using custom options for GDB to make the debugging process more efficient and manageable.
Below are all the steps described in the repository:
- Configuration of virtual machine (VM):
- Get the image of the VM:
wget http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/VM-IMAGES/11.0-RELEASE/amd64/Latest/FreeBSD-11.0-RELEASE-amd64.vhd.xz
- Enable SSH: In VM, add a user with the command
adduser
, then addsshd_enable="YES"
to the file/etc/rc.conf
and start SSH with the command/etc/rc.d/sshd start
. .
- Get the image of the VM:
- Reconstruction of the kernel with debugging:
- Compile on the VM, as the FreeBSD build system is not compatible with non-FreeBSD systems (compatibility has been added with FreeBSD 12/13 versions, but here serves version 11).
- Consult with a consultation withthe official guideor proceed as follows:
- Move to the kernel directory:
cd /usr/src/sys/amd64/conf
- Copy the GENERIC configuration:
cp GENERIC /root/CONFIG
- Create a symbolic link:
ln -s /root/CONFIG
- Editing the file
CONFIG
to remove the optionDDB
and add the optionGDB
. .
- Move to the kernel directory:
- Compiling and installation:
- Fill in the kernel with:
cd /src/src
make buildkernel KERNCONF=CONFIG
- Install the kernel:
make installkernel KERNCONF=CONFIG
- Restart the VM.
- Copy the debug file
kernel.debug
da da da da/usr/obj/usr/src/sys/CONFIG/
off the VM to use with GDB.
- Fill in the kernel with:
- Configuration of GDB:
- Get the kernel source code for navigation and for GDB:
git clone -b releng/11.0 https://github.com/freebsd/freebsd.git
- Compile GDB with FreeBSD support:
- Download the latest version of GDB by:
https://ftp.gnu.org/gnu/gdb/
and decompress the archive. - Create a build directory and sign in:
mkdir build && cd build
- Setting up GDB :
../configure --disable-binutils --disable-ld --disable-gold --disable-gas --disable-sim --disable-gprof --target=x86_64-unknown-freebsd
- Fill out GDB:
make -j64
- Download the latest version of GDB by:
- Get the kernel source code for navigation and for GDB:
- Improvement of GDB:
- Use gdb-dashboard to enhance the debugging experience.
- File
.gdbinit
for the FreeBSD kernel:- Configure the file
.gdbinit
for the kernel:- Set the replacement path:
set substitute-path /usr/src /home/shawn/freebsd
- Set the style of disassembly:
set disassembly-flavor intel
- Specify the kernel debugging file:
file kernel.debug
- Connecting GDB to the VM:
target remote /tmp/fbsd11
- Set the replacement path:
- Configure the file
- Interop with WSL:
- Use tools such as conveyor and npiperelay for interoperability.
- Script to start GDB:
- Create a shell script to launch GDB flexibly:
- !/bin/sh GDB-PATH/home/shawn/gdb-10.1/build/gdb PATH-$GDB-PATH:$PATH gdb --data-directory/home/shawn/gdb-10.1/build/gdb/data-directory
The start of GDB :
- In the VM, run the command to start the kernel debugging:
sysctl debug.kdb.enter=1
Download: Source code ps5-umtxdbg
Source: twitter.com