Date: Mon, 1 Feb 1999 23:25:52 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: current@FreeBSD.ORG Subject: Re: swap_page_getswapspace failed (don't do stupid things with /dev/mem) Message-ID: <Pine.BSF.3.96.990201232233.10163C-100000@fledge.watson.org> In-Reply-To: <199902020419.UAA31702@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Feb 1999, Matthew Dillon wrote: > Uh. Mmmmmm...... Hmmmmmm :-) > > i = read(fd, &size, sizeof(size)); > ... malloc(bufsize * sizeof(char)) > i = read(fd, buf, bufsize); > > When you are reading /dev/mem, 'size' can turn out to be anything. > You are then allocating 'size' bytes ( which could be some insane > value ). Finally, you try to read() from /dev/mem into the buffer > the same insane value. > > The system is almost certainly trying to kill this process, but it > can't because the process is stuck in an uninterruptable system read() > of an insane amount of data. > > I don't think there is anything to 'fix' here. The system is making > the best of a bad situation. Perhaps, though, we could test for signal > 9 within the insanely huge read() loops and pop out. So this probably works for non-root users on files like /dev/zero that can produce as much data as you might be interested in, suggesting a fun denial of service attack for the bored and/or insane. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990201232233.10163C-100000>