Hi, It seems there is still a way to crash the kernel with the mmap call.
This one seems a lot less important since it appears only root can do it.
The following program triggers the crash on my small VM's (64M, amd64) as
well as my medium VM (1G ram). When triggered, it reports
"panic: malloc: out of space in kmem_map". Due to ulimit's, I cannot
reproduce this as a normal user, but it does reproduce reliably as root.
The panic happens at the same point as the mmap crash we reported earlier,
in the malloc() call inside of amap_alloc().
#include <stdio.h>
#include <sys/mman.h>
int main(int argc, char **argv)
{
char *p;
size_t sz;
sz = 0x7fa0000fa;
p = mmap((void*)0x100000, sz, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANON, -1, 0);
printf("%lx %p\n", (unsigned long)sz, p);
if(p == MAP_FAILED) {
perror("mmap");
return 1;
}
return 0;
}
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
