From owner-freebsd-security Sun Sep 5 21:16: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 2E40814DE6; Sun, 5 Sep 1999 21:16:00 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA70569; Sun, 5 Sep 1999 21:14:42 -0700 (PDT) (envelope-from dillon) Date: Sun, 5 Sep 1999 21:14:42 -0700 (PDT) From: Matthew Dillon Message-Id: <199909060414.VAA70569@apollo.backplane.com> To: "Brian F. Feldman" Cc: Garrett Wollman , Nick Hibma , FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Sun, 5 Sep 1999, Matthew Dillon wrote: : :> :> :> old value of ui_sbsize when uip is not NULL. That may make the :> :> problem more obvious. :> : :> :I've gdb'd every crash and it's been something like ui_sbsize = 0x1234 :> :delta = -0x2000. :> : :> : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ :> :> 0x1234 could be an indication of a reference to a data structure :> which has been freed. : :That would be 0xdeadc0de, but it wasn't actually 0x1234. It was something :else somewhat similar. After tracking down the problem k6_mem.c has, I may :look much more into this. : : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ I'm trying to remember where that came from.. .grep grep grep. Ah, here we are. 0x12342378 is used by the zone allocator to indicate a free entry. It stores it in a particular place (it isn't a fill). (see vm/vm_zone.h) -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message