From owner-freebsd-bugs  Tue Sep 24 20:00:14 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA19460
          for bugs-outgoing; Tue, 24 Sep 1996 20:00:14 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA19434;
          Tue, 24 Sep 1996 20:00:09 -0700 (PDT)
Resent-Date: Tue, 24 Sep 1996 20:00:09 -0700 (PDT)
Resent-Message-Id: <199609250300.UAA19434@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Tor.Egge@idt.ntnu.no
Received: from pat.idt.unit.no (pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA18383
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Sep 1996 19:56:03 -0700 (PDT)
Received: from ikke.idt.unit.no (ikke.idt.unit.no [129.241.111.65]) by pat.idt.unit.no (8.7.5/8.7.3) with ESMTP id EAA02424 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 1996 04:55:14 +0200 (MET DST)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.7.5/8.7.3) id EAA00645; Wed, 25 Sep 1996 04:55:13 +0200 (MET DST)
Message-Id: <199609250255.EAA00645@ikke.idt.unit.no>
Date: Wed, 25 Sep 1996 04:55:13 +0200 (MET DST)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/1677: read from /dev/kmem may crash system
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1677
>Category:       kern
>Synopsis:       read from /dev/kmem may crash system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 24 20:00:03 PDT 1996
>Last-Modified:
>Originator:     Tor Egge
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway

>Release:        FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD ikke.idt.unit.no 2.2-CURRENT FreeBSD 2.2-CURRENT #1: Sat Sep 21 21:36:42 MET DST 1996     root@ikke.idt.unit.no:/usr/src/sys/compile/TEGGE  i386

>Description:

	Seeking to far beyond the end of the kernel virtual memory area
	and then reading from /dev/kmem triggers a panic.

>How-To-Repeat:

Compile and execute this program:
-----
#include <sys/types.h>
#include <stdio.h>
#include <assert.h>
#include <fcntl.h>

main()
{
  off_t off=0xffff0000u;
  off_t noff;
  int fd;
  char buf[36];
  int got;

  fd = open("/dev/kmem",O_RDONLY,0);
  printf("fd=%d\n",fd);
  noff = lseek(fd,off,SEEK_SET);
  printf("noff = %qd\n",noff);
  got = read(fd,buf,sizeof(buf));
  printf("got=%d\n",got);
  
}
----

And the result:

	ikke:/export/akg5/crash$ gdb -k /TEGGE/kernel vmcore.3
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 204000
current pcb at 1e0f38
panic: page fault
#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
237                                     dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
#1  0xf0112206 in panic (fmt=0xf01bb90f "page fault")
    at ../../kern/kern_shutdown.c:361
#2  0xf01bc46a in trap_fatal (frame=0xefbffde0) at ../../i386/i386/trap.c:741
#3  0xf01bbf5c in trap_pfault (frame=0xefbffde0, usermode=0)
    at ../../i386/i386/trap.c:652
#4  0xf01bbc3f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -65536, 
      tf_esi = -65536, tf_ebp = -272630228, tf_isp = -272630264, 
      tf_ebx = -266447080, tf_edx = 1048560, tf_ecx = 2113536, 
      tf_eax = -272629760, tf_trapno = 12, tf_err = 0, tf_eip = -266633792, 
      tf_cs = 8, tf_eflags = 66070, tf_esp = -266447080, tf_ss = -272629964})
    at ../../i386/i386/trap.c:311
#5  0xf01b3801 in calltrap ()
#6  0xf01b6dd0 in mmrw (dev=513, uio=0xefbfff34, flags=0)
    at ../../i386/i386/mem.c:241
#7  0xf0138c77 in spec_read (ap=0xefbffee8)
    at ../../miscfs/specfs/spec_vnops.c:261
#8  0xf01a2cb9 in ufsspec_read (ap=0xefbffee8)
    at ../../ufs/ufs/ufs_vnops.c:1858
#9  0xf0134d26 in vn_read (fp=0xf40b6b80, uio=0xefbfff34, cred=0xf3fdaa00)
    at ./vnode_if.h:255
#10 0xf0119027 in read (p=0xf40af600, uap=0xefbfff94, retval=0xefbfff84)
    at ../../kern/sys_generic.c:116
---Type <return> to continue, or q <return> to quit---qQuit
(kgdb) up 6
#6  0xf01b6dd0 in mmrw (dev=513, uio=0xefbfff34, flags=0)
    at ../../i386/i386/mem.c:241
241                                     if (pmap_extract(kernel_pmap, addr) == 0)
(kgdb) print *uio
$1 = {uio_iov = 0xefbfff2c, uio_iovcnt = 1, uio_offset = 0x00000000ffff0000, 
  uio_resid = 36, uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, 
  uio_procp = 0xf40af600}
(kgdb) list
236                              * that we don't create any zero-fill pages.
237                              */
238                             addr = trunc_page(uio->uio_offset);
239                             eaddr = round_page(uio->uio_offset + c);
240                             for (; addr < eaddr; addr += PAGE_SIZE)
241                                     if (pmap_extract(kernel_pmap, addr) == 0)
242                                             return EFAULT;
243
244                             if (!kernacc((caddr_t)(int)uio->uio_offset, c,
245                                 uio->uio_rw == UIO_READ ? B_READ : B_WRITE))
-----
>Fix:
>Audit-Trail:
>Unformatted: