From owner-freebsd-bugs Tue Mar 25 13: 0:30 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C92237B401 for ; Tue, 25 Mar 2003 13:00:28 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3338943FA3 for ; Tue, 25 Mar 2003 13:00:27 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2PL0RNS074003 for ; Tue, 25 Mar 2003 13:00:27 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2PL0Rv7074002; Tue, 25 Mar 2003 13:00:27 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42D9E37B405 for ; Tue, 25 Mar 2003 12:55:54 -0800 (PST) Received: from alpha.valabs.spb.ru (dialup92-148.ip.PeterStar.net [217.195.92.148]) by mx1.FreeBSD.org (Postfix) with SMTP id 62D0A43F93 for ; Tue, 25 Mar 2003 12:55:51 -0800 (PST) (envelope-from valeks@alpha.valabs.spb.ru) Received: (qmail 898 invoked by uid 1001); 25 Mar 2003 20:55:50 -0000 Message-Id: <20030325205550.897.qmail@alpha.valabs.spb.ru> Date: 25 Mar 2003 20:55:50 -0000 From: "Valentin A.Alekseev" Reply-To: "Valentin A.Alekseev" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/50298: unlimited usage of AGP memory make system hung X-Spam-Status: No, hits=-0.8 required=5.0 tests=RESENT_TO version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 50298 >Category: kern >Synopsis: unlimited usage of AGP memory make system hung >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 25 13:00:26 PST 2003 >Closed-Date: >Last-Modified: >Originator: Valentin A. Alekseev >Release: FreeBSD 5.0-RELEASE-p6 i386 >Organization: Valentin A. Alekseev >Environment: System: FreeBSD alpha.valabs.spb.ru 5.0-RELEASE-p6 FreeBSD 5.0-RELEASE-p6 #3: Sun Mar 23 00:55:36 MSK 2003 valeks@alpha.valabs.spb.ru:/usr/src/sys/i386/compile/ALPHA i386 /usr/src/sys/pci/agp.c: $FreeBSD: src/sys/pci/agp.c,v 1.22 2002/11/13 17:40:15 mux Exp $ XFree86 Version 4.3.0 Release Date: 27 February 2003 X Protocol Version 11, Revision 0, Release 6.6 Build Operating System: FreeBSD 5.0-RELEASE-p4 i386 [ELF] >Description: AGP aperture memory allocated in kernel address space with no limits ever set. This is exploitable both by root and non-root users using either AGPIOC_* ioctl's directly or using any gl function with realy big arguments (for the first time this was discovered for glTexImage2D function on XFree86 4.3.0). >How-To-Repeat: Exploit is located at http://www.valabs.spb.ru/files/agpdos.c (1,6K) >Fix: Currently no fix or patch made by me. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message