>Number:         7722
>Category:       kern
>Synopsis:       any user can freeze the system via mmap + write
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun  6 11:20:00 1999
>Last-Modified:
>Originator:     Antti Kantee
>Organization:
>Release:        NetBSD/i386 1.4C
>Environment:
NetBSD/i386 1.4C, supped and compiled (kernel) today

>Description:
By following the actions described in How-To-Repeat any user can freeze 
(note: not panic, but freeze) the system completely. X becomes totally
unresponsive. The text console becomes unresposive too, pressing 
CTRL-Z prints out ^Z, but nothing else intelligent happens. This box
is completely alone, so I have no way of testing is it really dead or
just faking. Nothing happened in the following 10 minutes that I bothered
to wait.

>How-To-Repeat:
I suspect that there are also other ways to make this problem surface,
but here's the one I ran into. Compile and run the following code.

--SNIP--
#include <sys/types.h>
#include <sys/mman.h>

#include <fcntl.h>
#include <unistd.h>

int
main() {

   int fd1, fd2;
   void *file1;

   fd1 = open("/etc/passwd", O_RDONLY);
   file1 = mmap(0, 100, PROT_READ, MAP_FILE, fd1, 0);

   fd2 = open("/dev/audio", O_WRONLY);
   write(fd2, file1, 10010);
}
--UNSNIP--

Note that the problem depends on the last argument to write, 101 or 1001
bytes were not enough to freeze the system (my system), but 10010 worked
'like a charm'.

>Fix:
	Don't do it. (admittedly not a very good fix..)
>Audit-Trail:
>Unformatted: