>Number:         9983
>Category:       bin
>Synopsis:       kdump seg faults using vis
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 25 14:51:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Brown
>Release:        1.4X from 20000424
>Organization:
none.  just me.
>Environment:
System: NetBSD ebola 1.4X NetBSD 1.4X (RESTON) #2: Mon Apr 24 07:57:34 PDT 2000 root@ebola:/usr/src/sys/arch/i386/compile/RESTON i386

>Description:

	kdump dumps core if the io buffer that it's printing to stdout
	(via vis(3)) ends on a page boundary.  kdump (in ktrgenio())
	calls vis(3) like this:

		(void) vis(visbuf, *dp, VIS_CSTYLE, *(dp+1));

	and if dp can be a pointer into a page that has no page following
	it.  if it does, then the fourth argument to vis(3), the *(dp+1)
	one, will attempt to dereference a pointer into the next page
	that's not there.

	simplistic patch attached.

>How-To-Repeat:

	% ktrace cat /netbsd > /dev/null
	% kdump > /dev/null

>Fix:

Index: kdump.c
===================================================================
RCS file: /cvsroot/basesrc/usr.bin/kdump/kdump.c,v
retrieving revision 1.28
diff -u -r1.28 kdump.c
--- kdump.c	2000/04/10 09:13:45	1.28
+++ kdump.c	2000/04/25 21:45:06
@@ -470,7 +470,7 @@
 	(void)printf("       \"");
 	col = 8;
 	for (; datalen > 0; datalen--, dp++) {
-		(void) vis(visbuf, *dp, VIS_CSTYLE, *(dp+1));
+		(void) vis(visbuf, *dp, VIS_CSTYLE, datalen>1?*(dp+1):0);
 		cp = visbuf;
 		/*
 		 * Keep track of printables and
>Release-Note:
>Audit-Trail:
>Unformatted: