On Mon, 1 Feb 1999, Matthew Dillon wrote: > Uh. Mmmmmm...... Hmmmmmm :-) > > i = read(fd, &size, sizeof(size)); > ... malloc(bufsize * sizeof(char)) > i = read(fd, buf, bufsize); > > When you are reading /dev/mem, 'size' can turn out to be anything. > You are then allocating 'size' bytes ( which could be some insane > value ). Finally, you try to read() from /dev/mem into the buffer > the same insane value. > > The system is almost certainly trying to kill this process, but it > can't because the process is stuck in an uninterruptable system read() > of an insane amount of data. > > I don't think there is anything to 'fix' here. The system is making > the best of a bad situation. Perhaps, though, we could test for signal > 9 within the insanely huge read() loops and pop out.
So this probably works for non-root users on files like /dev/zero that can produce as much data as you might be interested in, suggesting a fun denial of service attack for the bored and/or insane. Robert N Watson rob...@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-current" in the body of the message
