Date: Sun, 5 Sep 1999 21:14:42 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Nick Hibma <hibma@skylink.it>, FreeBSD -- The Power to Serve <geniusj@free-bsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD Message-ID: <199909060414.VAA70569@apollo.backplane.com> References: <Pine.BSF.4.10.9909052026560.98872-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
:On Sun, 5 Sep 1999, Matthew Dillon wrote: : :> :> :> old value of ui_sbsize when uip is not NULL. That may make the :> :> problem more obvious. :> : :> :I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 :> :delta = -0x2000. :> : :> : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ :> :> 0x1234 could be an indication of a reference to a data structure :> which has been freed. : :That would be 0xdeadc0de, but it wasn't actually 0x1234. It was something :else somewhat similar. After tracking down the problem k6_mem.c has, I may :look much more into this. : : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ I'm trying to remember where that came from.. .grep grep grep. Ah, here we are. 0x12342378 is used by the zone allocator to indicate a free entry. It stores it in a particular place (it isn't a fill). (see vm/vm_zone.h) -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909060414.VAA70569>