From owner-freebsd-current@FreeBSD.ORG  Fri Apr  8 05:05:19 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9EA1416A4CE; Fri,  8 Apr 2005 05:05:19 +0000 (GMT)
Received: from carver.gumbysoft.com (carver.gumbysoft.com [66.220.23.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7625743D4C; Fri,  8 Apr 2005 05:05:19 +0000 (GMT)
	(envelope-from dwhite@gumbysoft.com)
Received: by carver.gumbysoft.com (Postfix, from userid 1000)
	id 6E07E72DDB; Thu,  7 Apr 2005 22:05:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by carver.gumbysoft.com (Postfix) with ESMTP id 6B9D672DD9;
	Thu,  7 Apr 2005 22:05:19 -0700 (PDT)
Date: Thu, 7 Apr 2005 22:05:19 -0700 (PDT)
From: Doug White <dwhite@gumbysoft.com>
To: Kris Kennaway <kris@obsecurity.org>
In-Reply-To: <20050405174344.GA86957@xor.obsecurity.org>
Message-ID: <20050407220445.F57391@carver.gumbysoft.com>
References: <20050405174344.GA86957@xor.obsecurity.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@FreeBSD.org
cc: phk@freeBSD.org
Subject: Re: NULL pointer deref in ptcread()
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2005 05:05:19 -0000

On Tue, 5 Apr 2005, Kris Kennaway wrote:

> HEAD from yesterday on a SMP machine.
>
> Kris
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 1; apic id = 06
> fault virtual address   = 0x0
> fault code              = supervisor read, page not present
> instruction pointer     = 0x8:0xc06b4b02
> stack pointer           = 0x10:0xf7cb6b4c
> frame pointer           = 0x10:0xf7cb6b78
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 1182 (screen)
> [thread pid 1182 tid 100239 ]
> Stopped at      generic_bcopy+0x1a:     repe movsl      (%esi),%es:(%edi)
> db> wh
> Tracing pid 1182 tid 100239 td 0xc5a92b80
> generic_bcopy(c59aa438,f7cb6bb8,40,c0758280,1) at generic_bcopy+0x1a
> ptcread(c69b3d00,f7cb6c68,4,3ae,1000) at ptcread+0x180
> devfs_read_f(c5d8e558,f7cb6c68,c605e100,0,c5a92b80) at devfs_read_f+0xa7
> dofileread(c5a92b80,c5d8e558,7,bfbfd3f0,1000) at dofileread+0xc3
> read(c5a92b80,f7cb6d14,3a6,c0715022,c5a92b80) at read+0x6c
> syscall(2f,2f,bfbf002f,80aa050,0) at syscall+0x2c4
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (3, FreeBSD ELF32, read), eip = 0x2816fbd7, esp = 0xbfbfd3cc, ebp = 0xbfbfe408 ---
> db>

Can you get a file+line on this? The only thing that comes to mind is if
the uio is corrupted and someone stumbles over it.


-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org