Date: Mon, 14 Apr 1997 00:31:28 -0600 From: Brett Glass <brett@lariat.org> To: freebsd-bugs@freebsd.org Subject: Problem with /dev/spkr driver can cause crashes Message-ID: <3.0.32.19970414003125.0068c68c@lariat.org>
next in thread | raw e-mail | index | archive | help
I've written a Perl script that uses the /dev/spkr driver to sound an alarm when certain events occur. Recently, I came home to find my FreeBSD 2.1.0-R system playing random tones continuously. I found that a process which had opened the device and played a few tones had wedged. When I killed the process, the system squealed like a stuck pig, made a few other strange noises, and abruptly rebooted without syncing the disk. There were several bad file descriptors, including some in /dev that took a bit of time to clean up. I was lucky that no more data than this was lost. Apparently, when a process opens /dev/spkr, sends a play string, and closes the device before the string has finished playing, the device driver continues playing the string until it's done. But if a process (either the same one or another) comes along, opens the device, and sends it MORE notes while the earlier ones are still playing, this confuses the driver and causes it to play random strings from memory. It can also wedge the process that attempts the second write, corrupt kernel memory, and/or cause the system to crash. I don't know if this problem could be exploited to hack into the system (it might, and this possibility is worth a look). But it could certainly be used to crash it and trash the disk, as my script did inadvertently. --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970414003125.0068c68c>