Subject: kern/4804: Excessive mmaps crash system
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 01/11/1998 17:23:36
>Synopsis: excessive mmaps in one process crash system
>Responsible: kern-bug-people (Kernel Bug People)
>Arrival-Date: Sun Jan 11 14:50:01 1998
>Originator: David A. Holland <firstname.lastname@example.org>
- David A. Holland | VINO project home page:
email@example.com | http://www.eecs.harvard.edu/vino
System: NetBSD chianti.eecs.harvard.edu 1.2.1 NetBSD 1.2.1 (CHIANTI) #1: Tue Sep 9 16:52:39 EDT 1997 firstname.lastname@example.org:/usr/src/sys/arch/i386/compile/CHIANTI i386
If you map one file too many times, or make too many mappings in
one process (haven't determined which yet) the system locks up
and stops responding to anything but ping.
I discovered this while testing some code that does unpleasant
things to Linux. In Linux the problem is related to overflow in
the vnode use count, which is only 16 bits.
The Linux problem is more serious in that instead of crashing,
the system keeps running using free vnodes, which can then be
exploited to gain root. It is not public yet, but probably will
be in a few days (hence the confidentiality request).
int fd, i;
fd = open("/bin/ls", O_RDONLY);
for(i = 0; i < 65540; i++)
mmap((char*)0x50000000 + (0x1000 * i), 0x1000,
PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
Don't know yet.