Date: Sun, 12 Nov 1995 03:49:15 +1100 From: Bruce Evans <bde@zeta.org.au> To: davidg@Root.COM, faulkner@mpd.tandem.com Cc: current@freebsd.org, phk@freebsd.org Subject: Re: rtelnet (socks) panics on connect Message-ID: <199511111649.DAA02895@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>>db> trace >>_Debugger(f0114deb,f0114de0,f019f491,efbffe9c,f024c064) at _Debugger+0x2b >>_panic(f019f491,f0210650,f0211dac,13,f09fe200) at _panic+0x3b >>_kmem_malloc(f024c060,efbfe000,0,0,efbfff94) at _kmem_malloc+0xa8 >>_malloc(efbfdc98,4a,0,efbfff94,f0a03000) at _malloc+0x21b > ^^^^^^^^ > It's trying to allocate about 4GB of memory. Yeah, the map is just a TINY >bit too small for that. :-) >>___sysctl(f0a03000,efbfff94,efbfff8c,808b060,efbfdc78) at ___sysctl+0xbe >>_syscall(27,27,2,efbfdc78,efbfdc54) at _syscall+0x157 > Looks like someone has broken sysctl. Sigh. userland_sysctl() doesn't check `newlen' like __sysctl(), so it can be abused to allocate too much kernel memory: as non-root, set new = NULL bypass the privilege check; then newlen bytes will be malloced() and the copyin() from the user address NULL will fail immediately. Root can use all of kernel memory for a little longer :-). Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511111649.DAA02895>