kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
syscall
Gavin Atkinson
gavini at FreeBSD.org
Sun Jan 11 15:50:04 PST 2009
The following reply was made to PR kern/130391; it has been noted by GNATS.
From: Gavin Atkinson <gavini at FreeBSD.org>
To: bug-followup at FreeBSD.org
Cc: scottl at FreeBSD.org
Subject: Re: kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
syscall
Date: Sun, 11 Jan 2009 23:15:03 +0000 (GMT)
I can confirm that this bug still exists on HEAD (sparc64):
FreeBSD 8.0-20081215-SNAP (GENERIC) #0: Mon Dec 15 15:58:11 UTC 2008
> cc 130391.c
> ./a.out
panic: kmem_malloc(-2147483648): kmem_map too small: 3497984 total allocated
cpuid = 0
KDB: enter: panic
[thread pid 1124 tid 100065 ]
Stopped at kdb_enter+0x80: ta %xcc, 1
db> bt
Tracing pid 1124 tid 100065 td 0xfffff80001b0b880
panic() at panic+0x20c
kmem_malloc() at kmem_malloc+0x2d8
page_alloc() at page_alloc+0x28
uma_large_malloc() at uma_large_malloc+0x44
malloc() at malloc+0x1b0
kenv() at kenv+0x88
syscall() at syscall+0x2f0
-- syscall (390, FreeBSD ELF64, kenv) %o7=0x10067c --
userland() at 0x40454768
user trace: trap %o7=0x10067c
pc 0x40454768, sp 0x7fdffffe211
pc 0x100550, sp 0x7fdffffe341
pc 0x402066f4, sp 0x7fdffffe401
done
db>
The changes that introduced this seem to be sys/kern/kern_environment.c
1.44 (by scottl@, cc'd)
Gavin
More information about the freebsd-bugs
mailing list