Subject: kern/29399: mmap/memcpy() can crash -current from userland
To: None <,,>
From: Tyler Retzlaff <>
List: netbsd-bugs
Date: 02/16/2005 13:02:00
>Number:         29399
>Category:       kern
>Synopsis:       mmap/memcpy() can crash -current from userland
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 16 13:02:00 +0000 2005
>Originator:     Tyler Retzlaff
>Release:        NetBSD 2.99.15
System: NetBSD 2.99.15 NetBSD 2.99.15 (_silence_) #0: Fri Feb 11 21:21:21 EST 2005 i386
Architecture: i386
Machine: i386
use of mmap/memcpy as an unprivileged user can cause netbsd to crash

main(int argc, char **argv)
        int fd;
        size_t len;
        void *ptr;
        char *str = "hello\n";

	if (-1 == (fd = open("zero", O_CREAT, O_RDWR)))
		perror("failed open");

	if (NULL == (ptr = mmap(0, strlen(str), PROT_READ|PROT_WRITE,
	    MAP_PRIVATE, fd, 0)))
                perror("failed mmap");

	memcpy(ptr, str, strlen(str));