> Hmm, don't know why init would get a segmentation violation here.  If you
 > didn't already, compile init with -g and look where the offending address in
 > the code is and how it got there.  Depending on your implementation of DDB
 > you might also want to set a breakpoint at vm_fault and look why it doesn't
 > want to give init access to the page at 67000.

It was found out that SIGSEGV occurred the lib/libc/locale/localeconv.c
following as an examined result.

 > > exc_dsi|exc_user=0x6737c dsisr=0x42000000 at 0x5e7b8

localeconv.c line 37
 :     static struct lconv ret;
 : 
 :     if (__mlocale_changed) {
 :         /* LC_MONETARY */
 :         ret.int_curr_symbol     = _CurrentMonetaryLocale->int_curr_symbol;

And, the direct cause which SIGSEGV occurs is in vm/vm_map.c.
vm/vm_map.c line 2373
 :         prot = entry->protection;
 :         if ((fault_type & (prot)) != fault_type)
 :                 RETURN(KERN_PROTECTION_FAILURE);

When SIGSEGV occurs, the value of prot is 0x5(VM_PROT_READ|VM_PROT_EXECUTE),
the value of fault_type is 0x3(VM_PROT_READ|VM_PROT_WRITE).

By way of experiment, I surrounded this with #if 0-#endif :-)
Then, /bin/sh works!
But, I don't think this method to become a fundamental solution.

# I want time more...

Kazuki Sakamoto
sakamoto@cec.co.jp