kern/130391: Normal users can crash 7.0-RELEASE through "kenv" syscall

Gavin Atkinson gavini at
Sun Jan 11 15:50:04 PST 2009

The following reply was made to PR kern/130391; it has been noted by GNATS.

From: Gavin Atkinson <gavini at>
To: bug-followup at
Cc: scottl at
Subject: Re: kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
Date: Sun, 11 Jan 2009 23:15:03 +0000 (GMT)

 I can confirm that this bug still exists on HEAD (sparc64):
 FreeBSD 8.0-20081215-SNAP (GENERIC) #0: Mon Dec 15 15:58:11 UTC 2008
 > cc 130391.c
 > ./a.out
 panic: kmem_malloc(-2147483648): kmem_map too small: 3497984 total allocated
 cpuid = 0
 KDB: enter: panic
 [thread pid 1124 tid 100065 ]
 Stopped at      kdb_enter+0x80: ta              %xcc, 1
 db> bt
 Tracing pid 1124 tid 100065 td 0xfffff80001b0b880
 panic() at panic+0x20c
 kmem_malloc() at kmem_malloc+0x2d8
 page_alloc() at page_alloc+0x28
 uma_large_malloc() at uma_large_malloc+0x44
 malloc() at malloc+0x1b0
 kenv() at kenv+0x88
 syscall() at syscall+0x2f0
 -- syscall (390, FreeBSD ELF64, kenv) %o7=0x10067c --
 userland() at 0x40454768
 user trace: trap %o7=0x10067c
 pc 0x40454768, sp 0x7fdffffe211
 pc 0x100550, sp 0x7fdffffe341
 pc 0x402066f4, sp 0x7fdffffe401
 The changes that introduced this seem to be sys/kern/kern_environment.c 
 1.44 (by scottl@, cc'd)

More information about the freebsd-bugs mailing list