From owner-freebsd-security  Sun Sep  5  4:52: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15])
	by hub.freebsd.org (Postfix) with ESMTP id 464B315398
	for <freebsd-security@FreeBSD.org>; Sun,  5 Sep 1999 04:51:58 -0700 (PDT)
	(envelope-from green@FreeBSD.org)
Received: from localhost (green@localhost)
	by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id HAA86911;
	Sun, 5 Sep 1999 07:49:59 -0400 (EDT)
X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs
Date: Sun, 5 Sep 1999 07:49:59 -0400 (EDT)
From: "Brian F. Feldman" <green@FreeBSD.org>
X-Sender: green@janus.syracuse.net
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	Nick Hibma <hibma@skylink.it>,
	FreeBSD -- The Power to Serve <geniusj@free-bsd.org>,
	Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.org
Subject: Re: FW: Local DoS in FreeBSD
In-Reply-To: <199909050120.SAA63930@apollo.backplane.com>
Message-ID: <Pine.BSF.4.10.9909050747260.86690-100000@janus.syracuse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 4 Sep 1999, Matthew Dillon wrote:

> 
>     Oh wait, I don't know which KASSERT() you were refering to.
> 
>     If you were refering to the first one (uip != NULL), I think it can occur as
>     I say.  If it is refering to the second one, (uip->ui_sbsize >= 0),
>     then I'm not sure.

That's the one I meant.

> 
>     Either way I would get rid of chgsbsize() and instead change the chgproccnt()
>     function to take a third argument, or make it even more general by passing
>     a field type and a delta to allow it to be scaled to other things.

Probably a good idea, and I'll see how it works after I get the KASSERT()
to stop tripping.

> 
>     It may be as simple as the KASSERT winding up being wrong.  

Doesn't seem like it at all.

> 
>     I would also instrument the panic portion of the KASSERT to
>     display more information, such as value of 'diff' and the
>     old value of ui_sbsize when uip is not NULL.  That may make the
>     problem more obvious.

I've gdb'd every crash and it's been something like ui_sbsize = 0x1234
delta = -0x2000.

> 
> 						-Matt
> 

-- 
 Brian Fundakowski Feldman           /  "Any sufficiently advanced bug is    \
 green@FreeBSD.org                   |   indistinguishable from a feature."  |
     FreeBSD: The Power to Serve!    \        -- Rich Kulawiec               /



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message