Date: Sun, 5 Sep 1999 07:49:59 -0400 (EDT) From: "Brian F. Feldman" <green@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Nick Hibma <hibma@skylink.it>, FreeBSD -- The Power to Serve <geniusj@free-bsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD Message-ID: <Pine.BSF.4.10.9909050747260.86690-100000@janus.syracuse.net> In-Reply-To: <199909050120.SAA63930@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Sep 1999, Matthew Dillon wrote:
>
> Oh wait, I don't know which KASSERT() you were refering to.
>
> If you were refering to the first one (uip != NULL), I think it can occur as
> I say. If it is refering to the second one, (uip->ui_sbsize >= 0),
> then I'm not sure.
That's the one I meant.
>
> Either way I would get rid of chgsbsize() and instead change the chgproccnt()
> function to take a third argument, or make it even more general by passing
> a field type and a delta to allow it to be scaled to other things.
Probably a good idea, and I'll see how it works after I get the KASSERT()
to stop tripping.
>
> It may be as simple as the KASSERT winding up being wrong.
Doesn't seem like it at all.
>
> I would also instrument the panic portion of the KASSERT to
> display more information, such as value of 'diff' and the
> old value of ui_sbsize when uip is not NULL. That may make the
> problem more obvious.
I've gdb'd every crash and it's been something like ui_sbsize = 0x1234
delta = -0x2000.
>
> -Matt
>
--
Brian Fundakowski Feldman / "Any sufficiently advanced bug is \
green@FreeBSD.org | indistinguishable from a feature." |
FreeBSD: The Power to Serve! \ -- Rich Kulawiec /
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909050747260.86690-100000>