From owner-freebsd-current  Sat Nov 11 08:52:47 1995
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id IAA20800
          for current-outgoing; Sat, 11 Nov 1995 08:52:47 -0800
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA20792
          ; Sat, 11 Nov 1995 08:52:36 -0800
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id DAA02895; Sun, 12 Nov 1995 03:49:15 +1100
Date: Sun, 12 Nov 1995 03:49:15 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199511111649.DAA02895@godzilla.zeta.org.au>
To: davidg@Root.COM, faulkner@mpd.tandem.com
Subject: Re: rtelnet (socks) panics on connect
Cc: current@freebsd.org, phk@freebsd.org
Sender: owner-current@freebsd.org
Precedence: bulk

>>db> trace
>>_Debugger(f0114deb,f0114de0,f019f491,efbffe9c,f024c064) at _Debugger+0x2b
>>_panic(f019f491,f0210650,f0211dac,13,f09fe200) at _panic+0x3b
>>_kmem_malloc(f024c060,efbfe000,0,0,efbfff94) at _kmem_malloc+0xa8
>>_malloc(efbfdc98,4a,0,efbfff94,f0a03000) at _malloc+0x21b
>         ^^^^^^^^

>   It's trying to allocate about 4GB of memory. Yeah, the map is just a TINY
>bit too small for that. :-)

>>___sysctl(f0a03000,efbfff94,efbfff8c,808b060,efbfdc78) at ___sysctl+0xbe
>>_syscall(27,27,2,efbfdc78,efbfdc54) at _syscall+0x157

>   Looks like someone has broken sysctl. Sigh.

userland_sysctl() doesn't check `newlen' like __sysctl(), so it can be
abused to allocate too much kernel memory: as non-root, set new = NULL
bypass the privilege check; then newlen bytes will be malloced() and the
copyin() from the user address NULL will fail immediately.  Root can
use all of kernel memory for a little longer :-).

Bruce