system features with the fuzzer. We'd be happy to answer
any questions that come up.
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
> > Modified files:
> > sys/uvm: uvm_map.c
> >
> > Log message:
> > add a check that the arguments to isavail don't overflow.
> > callers should probably check too, but checking here won't hurt.
> > possible panic reported by tim newsham.
> &
/tmp/mapfile", O_RDWR|O_CREAT, 0666);
xperror(fd == -1, "/tmp/mapfile");
write(fd, "testing\n", 8);
pg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,
-1, 0);
xperror(pg == MAP_FAILED, "mmap");
p = mmap(pg+4096, 0xff
1024M VM. I only get crashes and dmesg output when running
as root.
Testing done on amd64 using 5.9-stable from yesterday.
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
which includes the fixes for the earlier reported mmap issues.
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
return 1;
}
return 0;
}
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
>
> I made the same change in my tree. So OK claudio@
>
Thank you both for the quick turnaround. Do you know if there will be an
errata for this?
We want to post this to oss-sec, but will wait until an errata is published
if one is planned.
--
Tim Newsham | www.thenewsh.com
buf;
int x;
x = sysctl(name, 3, buf, , 0, 0);
if(x == -1) perror("sysctl");
printf("no crash!\n");
return 0;
}
Tim Newsham
Distinguished Security Engineer, Security Consulting
NCC Group
Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D
3DF0
:
File "", line 1, in
OSError: [Errno 21] Is a directory
>
> - todd
>
>
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
/mnt", MNT_DOOMED);
xperror(fd == -1, "unmount");
printf("no crash!\n");
return 0;
}
--
Tim Newsham
Distinguished Security Engineer, Security Consulting
NCC Group
Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D
3DF0
Here's a bug related to tmpfs mounts.
Forwarded Message
Subject:[Bug49] Tmpfs mount with bad args can lead to a panic
Date: Mon, 11 Jul 2016 10:07:33 -1000
From: Tim Newsham <tim.newsham@nccgroup.trust>
To: dera...@openbsd.org, Jesse Hertz <Je
e extra padding arg added).
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
in the full
> 64bits.
>
That did the trick.. thank you.
> Philip Guenther
>
chrisC: glad to be of assistance.
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
s straight call:
1947 a.outCALL
mmap(0,0x1,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
*)0x10, 4*4096, 7, MAP_ANON, -1, 0);
printf("p %p\n", p);
munmap(p, 4*4096);
p2 = __syscall(197, 0x10, 4*4096, 7, MAP_ANON, -1, 0);
printf("p 0x%llx\n", p2);
return 0;
}
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
gv[i];
x = mknod(fn, S_IFBLK | 0666, -1);
if(x == -1)
perror(fn);
}
printf("nothing happened!\n");
return 0;
}
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
16 matches
Mail list logo