From owner-freebsd-bugs Sun Apr 13 23:32:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA19376 for bugs-outgoing; Sun, 13 Apr 1997 23:32:03 -0700 (PDT) Received: from lariat.lariat.org ([129.72.251.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA19347 for ; Sun, 13 Apr 1997 23:32:01 -0700 (PDT) Received: from solo.lariat.org ([129.72.251.10]) by lariat.lariat.org (8.8.5/8.8.5) with SMTP id AAA00503 for ; Mon, 14 Apr 1997 00:31:45 -0600 (MDT) Message-Id: <3.0.32.19970414003125.0068c68c@lariat.org> X-Sender: brett@lariat.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 14 Apr 1997 00:31:28 -0600 To: freebsd-bugs@freebsd.org From: Brett Glass Subject: Problem with /dev/spkr driver can cause crashes Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've written a Perl script that uses the /dev/spkr driver to sound an alarm when certain events occur. Recently, I came home to find my FreeBSD 2.1.0-R system playing random tones continuously. I found that a process which had opened the device and played a few tones had wedged. When I killed the process, the system squealed like a stuck pig, made a few other strange noises, and abruptly rebooted without syncing the disk. There were several bad file descriptors, including some in /dev that took a bit of time to clean up. I was lucky that no more data than this was lost. Apparently, when a process opens /dev/spkr, sends a play string, and closes the device before the string has finished playing, the device driver continues playing the string until it's done. But if a process (either the same one or another) comes along, opens the device, and sends it MORE notes while the earlier ones are still playing, this confuses the driver and causes it to play random strings from memory. It can also wedge the process that attempts the second write, corrupt kernel memory, and/or cause the system to crash. I don't know if this problem could be exploited to hack into the system (it might, and this possibility is worth a look). But it could certainly be used to crash it and trash the disk, as my script did inadvertently. --Brett