misc/169947: System crash via ioctl() on mdctl.
Jaakko Heinonen
jh at FreeBSD.org
Wed Jul 18 13:50:03 UTC 2012
The following reply was made to PR kern/169947; it has been noted by GNATS.
From: Jaakko Heinonen <jh at FreeBSD.org>
To: Filip Palian <filip.palian at pjwstk.edu.pl>
Cc: bug-followup at FreeBSD.org
Subject: Re: misc/169947: System crash via ioctl() on mdctl.
Date: Wed, 18 Jul 2012 16:33:39 +0300
On 2012-07-17, Filip Palian wrote:
> User who has read permission on "/dev/mdctl" is able to crash the
> system (also within the jail if only provided by devfs(.rules)) via
> ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures
> in function swap_release_by_cred() (swap_pager.c:285) called in
> vm_object_deallocate() (md.c:1119). Some detailed information included
> below.
>
> Patch attached with submission follows:
>
> #include <stdio.h>
> #include <stdlib.h>
I couldn't reproduce the problem with your test program on current or
stable/9:
$ ./mdtest.orig
say goodnight...
ioctl(MDIOCATTACH) failed: Invalid argument
no +r no fun
I tried to modify the test program with following changes but still no
success.
%%%
--- mdtest.c 2012-07-18 16:13:34.000000000 +0300
+++ mdtest.c 2012-07-18 16:17:05.000000000 +0300
@@ -21,7 +21,8 @@
s.md_version = MDIOVERSION;
// s.md_type = MD_SWAP;
s.md_type = MD_PRELOAD;
- s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS;
+ s.md_base = -1;
+ s.md_options = MD_AUTOUNIT;
// typedef long long = int64 = off_t
//s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000;
%%%
$ ./mdtest
say goodnight...
no +r no fun
A new md device is successfully created.
Are you sure that you attached the correct test program and you didn't
have local patches applied to your kernel?
--
Jaakko
More information about the freebsd-bugs
mailing list