From owner-freebsd-bugs@FreeBSD.ORG  Sun Jan 11 23:50:03 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CF63A1065673
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 11 Jan 2009 23:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id BDE2C8FC16
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 11 Jan 2009 23:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0BNo3Qw033145
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 11 Jan 2009 23:50:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0BNo3sj033144;
	Sun, 11 Jan 2009 23:50:03 GMT (envelope-from gnats)
Date: Sun, 11 Jan 2009 23:50:03 GMT
Message-Id: <200901112350.n0BNo3sj033144@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Gavin Atkinson <gavini@FreeBSD.org>
Cc: 
Subject: Re: kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
 syscall
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Gavin Atkinson <gavini@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2009 23:50:04 -0000

The following reply was made to PR kern/130391; it has been noted by GNATS.

From: Gavin Atkinson <gavini@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc: scottl@FreeBSD.org
Subject: Re: kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
 syscall
Date: Sun, 11 Jan 2009 23:15:03 +0000 (GMT)

 I can confirm that this bug still exists on HEAD (sparc64):
 FreeBSD 8.0-20081215-SNAP (GENERIC) #0: Mon Dec 15 15:58:11 UTC 2008
 
 > cc 130391.c
 > ./a.out
 
 panic: kmem_malloc(-2147483648): kmem_map too small: 3497984 total allocated
 cpuid = 0
 KDB: enter: panic
 [thread pid 1124 tid 100065 ]
 Stopped at      kdb_enter+0x80: ta              %xcc, 1
 db> bt
 Tracing pid 1124 tid 100065 td 0xfffff80001b0b880
 panic() at panic+0x20c
 kmem_malloc() at kmem_malloc+0x2d8
 page_alloc() at page_alloc+0x28
 uma_large_malloc() at uma_large_malloc+0x44
 malloc() at malloc+0x1b0
 kenv() at kenv+0x88
 syscall() at syscall+0x2f0
 -- syscall (390, FreeBSD ELF64, kenv) %o7=0x10067c --
 userland() at 0x40454768
 user trace: trap %o7=0x10067c
 pc 0x40454768, sp 0x7fdffffe211
 pc 0x100550, sp 0x7fdffffe341
 pc 0x402066f4, sp 0x7fdffffe401
 done
 db>
 
 The changes that introduced this seem to be sys/kern/kern_environment.c 
 1.44 (by scottl@, cc'd)
 
 Gavin