Date: Tue, 12 Oct 2004 18:54:45 -0600 From: Shawn Webb <shawnwebb@softhome.net> To: freebsd-hackers@freebsd.org Subject: malloc calls and ioctl calls to soundcard cause segfault Message-ID: <200410121854.45986.shawnwebb@softhome.net>
next in thread | raw e-mail | index | archive | help
--Boundary-00=_VzHbB270BbWZQ08 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline I have stumbled upon a local DoS (non-kernel) while writing a VoIP app for FreeBSD. The DoS exists when two ioctl calls (or less/more?) are followed by a malloc call to malloc a pointer in global scope which is then followed by two more (or less/more?) ioctl calls. The result is a stack smash, and upon return of the function, the program segfaults. gdb output of the core dump: Core was generated by `a.out'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.5 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x00000080 in ?? () I am curently running: FreeBSD 5.3-BETA7 FreeBSD 5.3-BETA7 #2: Sun Oct 10 21:05:53 MDT 2004 shawn@:/usr/obj/usr/src/sys/LATERALUS i386 I have confirmed the same results on multiple FreeBSD machines, each different versions spanning 4.10-RELEASE to 5.2.1-RELEASE (and my 5.3-BETA7 machine). Shawn Webb http://retoros.org:81/ (attached is the source code to the segfaulting application) --Boundary-00=_VzHbB270BbWZQ08--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410121854.45986.shawnwebb>