From owner-freebsd-security@FreeBSD.ORG  Fri May  7 11:28:00 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9EEF016A4CE
	for <freebsd-security@FreeBSD.org>;
	Fri,  7 May 2004 11:28:00 -0700 (PDT)
Received: from www3.your-server.de (www3.your-server.de [213.133.104.3])
	by mx1.FreeBSD.org (Postfix) with SMTP id B623343D49
	for <freebsd-security@FreeBSD.org>;
	Fri,  7 May 2004 11:27:59 -0700 (PDT)
	(envelope-from nectar@FreeBSD.org)
Received: (qmail 25007 invoked by uid 505); 7 May 2004 18:27:59 -0000
Received: from nectar@FreeBSD.org by www3.your-server.de by uid 502 with
	qmail-scanner-1.15  (vexira: 6.25.0.3/6.25.0.53.  Clear:. 
	Processed in 1.785454 secs); 07 May 2004 18:27:59 -0000
X-Qmail-Scanner-Mail-From: nectar@FreeBSD.org via www3.your-server.de
X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.785454 secs)
Received: from pd9e8e6e3.dip.t-dialin.net (HELO europa.DSHSTATISTIK.DE)
	(217.232.230.227)
	by www3.your-server.de with SMTP; 7 May 2004 18:27:57 -0000
Received: from europa.DSHSTATISTIK.DE ([192.168.0.30]) by
	europa.DSHSTATISTIK.DE with Microsoft SMTPSVC(5.0.2195.5329);
	Fri, 7 May 2004 20:30:16 +0200
Received: by europa.DSHSTATISTIK.DE (Microsoft Connector for POP3 Mailboxes
	5.00.2195) with SMTP (Global POP3 Download)
	id MSG05072004-203011-124.MMD@DSHSTATISTIK.DE;
	Fri, 7 May 2004 20:30:11 +0200
Delivered-To: dshstat-webmaster@dsh-statistik.de
Received: (qmail 18366 invoked by uid 910); 7 May 2004 18:12:49 -0000
Delivered-To: dshstat-johannes.klein@dsh-statistik.de
Received: (qmail 18361 invoked by uid 505); 7 May 2004 18:12:49 -0000
Received: from
	bugtraq-return-14264-johannes.klein=dsh-statistik.de@securityfocus.com by
	www3.your-server.de by uid 502 with qmail-scanner-1.15 
	(vexira: 6.25.0.3/6.25.0.53.  Clear:. 
	Processed in 1.198223 secs); 07 May 2004 18:12:49 -0000
X-Qmail-Scanner-Mail-From:
	bugtraq-return-14264-johannes.klein=dsh-statistik.de@securityfocus.com via
	www3.your-server.de
X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.198223 secs)
Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com)
	(205.206.231.27)
	by www3.your-server.de with SMTP; 7 May 2004 18:12:47 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com
	[205.206.231.20])	by outgoing.securityfocus.com (Postfix) with QMQP
	id 4A31D236F89; Fri,  7 May 2004 20:01:47 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14028 invoked from network); 5 May 2004 10:44:12 -0000
Date: Wed, 5 May 2004 11:56:36 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: freebsd-security@FreeBSD.org, full-disclosure@lists.netsys.com,
	bugtraq@securityfocus.com
Message-ID: <20040505165636.GB40758@hellblazer.celabo.org>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	freebsd-security@FreeBSD.org, full-disclosure@lists.netsys.com,
	bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.4i
X-OriginalArrivalTime: 07 May 2004 18:30:16.0125 (UTC)
	FILETIME=[57B63ED0:01C43461]
Subject: Fwd: [Re: cvs commit: src/sys/vm vm_map.c]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2004 18:28:00 -0000

Hello,

FYI:
A FreeBSD user suggested that this issue requires a security advisory.
The issue has been public for some time, but currently, FreeBSD does not
issue advisories for local denial-of-service issues.  It is expected
that this bug will soon be fixed in FreeBSD 4.x (it is already fixed
in FreeBSD 5.x, as you can see below).

Cheers,
-- 
Jacques Vidrine <nectar@freebsd.org>

----- Forwarded message from Tim Robbins <tjr@freebsd.org> -----

Date: Tue, 23 Mar 2004 21:53:10 +1100
From: Tim Robbins <tjr@freebsd.org>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/vm vm_map.c
Message-ID: <20040323105310.GA14855@cat.robbins.dropbear.id.au>

On Tue, Mar 23, 2004 at 11:33:00AM +0100, Pawel Jakub Dawidek wrote:

> On Tue, Mar 23, 2004 at 12:37:35AM -0800, Tim J. Robbins wrote:
> +> tjr         2004/03/23 00:37:34 PST
> +> 
> +>   FreeBSD src repository
> +> 
> +>   Modified files:
> +>     sys/vm               vm_map.c 
> +>   Log:
> +>   Do not copy vm_exitingcnt to the new vmspace in vmspace_exec(). Copying
> +>   it led to impossibly high values in the new vmspace, causing it to never
> +>   drop to 0 and be freed.
> 
> How serious it is? Do you planning to MFC it to RELENG_4 with peter@'s
> patch of course?

A user can cause the kernel to allocate an unbounded amount of wired
memory, causing the machine to panic or stop responding. It's been observed
to happen under real workloads; that is, the circumstances are not so
contrived that the bug could only be caused by a malicious user.

I don't have any immediate plans to MFC it (I don't have any 4.x systems
right now), but peter@ or ps@ may want to after letting it settle for a
while in -current.


Tim

----- End forwarded message -----