{
  "entrypoint_kind": "local_kernel_runtime",
  "entrypoint_detail": "QEMU x86_64 VM (TCG, 4 vCPU, 4GB) booting the SAME Linux 7.0.0-rc2 bzImage (commit e3f5e0f22, KASAN, with pr_info injected into ipgre_header and ip6gre_header) used by the repro stage; only bonding.ko is swapped between runs (vulnerable = no bond_header_ops, fixed = has bond_header_ops). The in-VM /init (bond_variant_init, static) loads bonding/dummy/ip6_tunnel/ip6_gre modules, adds fd00::1/128 to lo, creates ip6gre1 with `ip link add ip6gre1 type ip6gre local fd00::1` (NO remote, so ip6gre_tunnel_init assigns ip6gre_header_ops), creates bond1 in active-backup mode, enslaves ip6gre1 to bond1 (bond_setup_by_slave copies ip6gre_header_ops onto bond1 on the vuln kernel / bond_header_ops on the fixed kernel), loads populate_hlen6.ko (writes 0x961a63cc into netdev_priv(bond1).ip6_tnl.hlen at offset 264), then fires an AF_PACKET SOCK_DGRAM sendto on bond1 to invoke dev_hard_header(bond1) -> ip6gre_header(bond1) [vuln: type confusion + DoS] / bond_header_create -> ip6gre_header(ip6gre1) [fixed: correct, no crash].",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "qemu-system-x86_64 (TCG, -m 4096 -smp 4 -no-reboot -nographic -snapshot)",
    "linux-7.0.0-rc2 (e3f5e0f22, KASAN generic, SMP, oops=panic)",
    "bonding.ko (vuln: no bond_header_ops / fixed: has bond_header_ops) -- swapped per run",
    "ip6_gre.ko (ip6gre_header with CVE-2026-43456 pr_info)",
    "ip6_tunnel.ko, tunnel6.ko, dummy.ko",
    "populate_hlen6.ko (out-of-tree, writes 0x961a63cc to ip6_tnl.hlen of netdev_priv(bond1))",
    "bond_variant_init (/init, static, PID 1)"
  ],
  "ab_method": "Single bzImage (vulnerable 7.0.0-rc2 e3f5e0f22); only bonding.ko differs between the vuln-rootfs.img and fixed-rootfs.img. Identical userspace init and identical populate_hlen6 write on both. Vuln kernel crashes (DoS); fixed kernel survives and prints RESULT: NOT VULNERABLE.",
  "proof_artifacts": [
    "logs/qemu_var_vuln.log",
    "logs/qemu_var_fixed.log",
    "logs/vuln_variant_repro.log"
  ],
  "vulnerable_run": {
    "kernel": "7.0.0-rc2 (e3f5e0f22) + vulnerable bonding.ko",
    "type_confusion_observed": "ip6gre_header: dev=bond1 hlen=0 needed=40 headroom=288 (before populate) -> dev=bond1 hlen=-1776655412 needed=-1776655372 headroom=288 (after populate_hlen6 wrote 0x961a63cc to ip6_tnl.hlen offset 264)",
    "populate_line": "CVE-2026-43456 VAR(ip6gre): bond1 priv=ffff8881039e69c0 ip6_tnl.hlen offset=264 old=0x00000000(0) new=0x961a63cc(-1776655412)",
    "crash": "kernel BUG at net/core/skbuff.c:2306! / Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI / RIP: 0010:pskb_expand_head+0x59c/0x6d0 / Call Trace: ip6gre_header+0x14a/0x430 [ip6_gre] / Kernel panic - not syncing: Fatal exception",
    "result_line": "<absent -- init crashed before reaching RESULT, as expected for the DoS>"
  },
  "fixed_run": {
    "kernel": "7.0.0-rc2 (e3f5e0f22) + fixed bonding.ko (bond_header_ops, fix 950803f7)",
    "delegation_observed": "ip6gre_header: dev=ip6gre1 hlen=4 needed=44 headroom=288 (bond_header_ops delegated to the active slave ip6gre1 device; netdev_priv(ip6gre1) is the correct struct ip6_tnl)",
    "populate_line": "CVE-2026-43456 VAR(ip6gre): bond1 priv=ffff8881045ae9c0 ip6_tnl.hlen offset=264 old=0x00000000(0) new=0x961a63cc(-1776655412) (write is harmless on fixed kernel -- bond1 priv is never read as ip6_tnl)",
    "crash": "<none>",
    "result_line": "RESULT: NOT VULNERABLE (no kernel crash; fixed bond_header_ops used the slave ip6gre1 device)"
  },
  "notes": "variant_confirmed_on_vulnerable=true; bypass_confirmed=false; fix_covers_variant=true. The ip6gre alternate sink (net/ipv6/ip6_gre.c:ip6gre_header, struct ip6_tnl, hlen offset 264) is distinct from the original ipgre sink (net/ipv4/ip_gre.c:ipgre_header, struct ip_tunnel, hlen offset 160). The original repro never reached ip6gre_header because its probe used `remote fd00::2`, which prevents ip6gre_header_ops from being assigned (ip6gre_tunnel_init assigns it only when ipv6_addr_any(&parms.raddr)). This variant uses no remote and actually reaches the type-confused ip6gre_header(bond1) sink, reproducing the same kernel DoS on the vulnerable kernel, while the fixed kernel's generic bond_header_ops wrapper covers it."
}
