malloc calls and ioctl calls to soundcard cause segfault
Shawn Webb
shawnwebb at softhome.net
Tue Oct 12 12:07:27 PDT 2004
I have stumbled upon a local DoS (non-kernel) while writing a VoIP app for
FreeBSD. The DoS exists when two ioctl calls (or less/more?) are followed by
a malloc call to malloc a pointer in global scope which is then followed by
two more (or less/more?) ioctl calls. The result is a stack smash, and upon
return of the function, the program segfaults.
gdb output of the core dump:
Core was generated by `a.out'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x00000080 in ?? ()
I am curently running:
FreeBSD 5.3-BETA7 FreeBSD 5.3-BETA7 #2: Sun Oct 10 21:05:53 MDT 2004
shawn@:/usr/obj/usr/src/sys/LATERALUS i386
I have confirmed the same results on multiple FreeBSD machines, each different
versions spanning 4.10-RELEASE to 5.2.1-RELEASE (and my 5.3-BETA7 machine).
Shawn Webb
http://retoros.org:81/
(attached is the source code to the segfaulting application)
More information about the freebsd-hackers
mailing list