Date: 25 Mar 2003 20:55:50 -0000 From: "Valentin A.Alekseev" <valeks@valabs.spb.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/50298: unlimited usage of AGP memory make system hung Message-ID: <20030325205550.897.qmail@alpha.valabs.spb.ru>
next in thread | raw e-mail | index | archive | help
>Number: 50298
>Category: kern
>Synopsis: unlimited usage of AGP memory make system hung
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 25 13:00:26 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Valentin A. Alekseev
>Release: FreeBSD 5.0-RELEASE-p6 i386
>Organization:
Valentin A. Alekseev
>Environment:
System: FreeBSD alpha.valabs.spb.ru 5.0-RELEASE-p6 FreeBSD 5.0-RELEASE-p6 #3: Sun Mar 23 00:55:36 MSK 2003 valeks@alpha.valabs.spb.ru:/usr/src/sys/i386/compile/ALPHA i386
/usr/src/sys/pci/agp.c:
$FreeBSD: src/sys/pci/agp.c,v 1.22 2002/11/13 17:40:15 mux Exp $
XFree86 Version 4.3.0
Release Date: 27 February 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: FreeBSD 5.0-RELEASE-p4 i386 [ELF]
>Description:
AGP aperture memory allocated in kernel address space with no limits
ever set. This is exploitable both by root and non-root users using
either AGPIOC_* ioctl's directly or using any gl function with realy
big arguments (for the first time this was discovered for glTexImage2D
function on XFree86 4.3.0).
>How-To-Repeat:
Exploit is located at http://www.valabs.spb.ru/files/agpdos.c (1,6K)
>Fix:
Currently no fix or patch made by me.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030325205550.897.qmail>