From owner-freebsd-current  Mon Feb  1 20:26:04 1999
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA06048
          for freebsd-current-outgoing; Mon, 1 Feb 1999 20:26:04 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06041
          for <current@FreeBSD.ORG>; Mon, 1 Feb 1999 20:26:02 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id XAA11018;
	Mon, 1 Feb 1999 23:25:52 -0500 (EST)
Date: Mon, 1 Feb 1999 23:25:52 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Matthew Dillon <dillon@apollo.backplane.com>
cc: current@FreeBSD.ORG
Subject: Re: swap_page_getswapspace failed (don't do stupid things with /dev/mem)
In-Reply-To: <199902020419.UAA31702@apollo.backplane.com>
Message-ID: <Pine.BSF.3.96.990201232233.10163C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 1 Feb 1999, Matthew Dillon wrote:

>     Uh.  Mmmmmm...... Hmmmmmm :-)
> 
> 	i = read(fd, &size, sizeof(size));
> 	... malloc(bufsize * sizeof(char))
> 	i = read(fd, buf, bufsize);
>     
>     When you are reading /dev/mem, 'size' can turn out to be anything.
>     You are then allocating 'size' bytes ( which could be some insane
>     value ).  Finally, you try to read() from /dev/mem into the buffer
>     the same insane value.
> 
>     The system is almost certainly trying to kill this process, but it
>     can't because the process is stuck in an uninterruptable system read()
>     of an insane amount of data.
> 
>     I don't think there is anything to 'fix' here.  The system is making
>     the best of a bad situation.  Perhaps, though, we could test for signal
>     9 within the insanely huge read() loops and pop out.

So this probably works for non-root users on files like /dev/zero that can
produce as much data as you might be interested in, suggesting a fun
denial of service attack for the bored and/or insane.

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message