Subject: kern/4804: Excessive mmaps crash system
To: None <>
From: None <>
List: netbsd-bugs
Date: 01/11/1998 17:23:36
>Number:         4804
>Category:       kern
>Synopsis:       excessive mmaps in one process crash system
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 11 14:50:01 1998
>Originator:     David A. Holland <>
   - David A. Holland             |    VINO project home page:    |
>Release:        1.2.1
System: NetBSD 1.2.1 NetBSD 1.2.1 (CHIANTI) #1: Tue Sep 9 16:52:39 EDT 1997 i386

	If you map one file too many times, or make too many mappings in
	one process (haven't determined which yet) the system locks up
	and stops responding to anything but ping.

	I discovered this while testing some code that does unpleasant
	things to Linux. In Linux the problem is related to overflow in
	the vnode use count, which is only 16 bits.

	The Linux problem is more serious in that instead of crashing,
	the system keeps running using free vnodes, which can then be
	exploited to gain root. It is not public yet, but probably will
	be in a few days (hence the confidentiality request).

#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>

void main()
 int fd, i;

 fd = open("/bin/ls", O_RDONLY);

 for(i = 0; i < 65540; i++)
  mmap((char*)0x50000000 + (0x1000 * i), 0x1000,

	Don't know yet.