Okay, I recently read that there is an issue with copyout on i386 on
FreeBSD and OpenBSD... looking at the patch, I think this probably
applies to NetBSD as well. I've adapted this patch to our
sys/arch/i386/i386/locore.S, and I haven't seen any problems. I
personally have about zero knowledge of i386 assembly, so I think that
perhaps somebody else should check this patch out. The implication I
got from Theo's statement to FreeBSD was that this was a serious issue
(he threatened to send them OpenSSH bugfixes last over it) but... no
offense intended, honestly... Theo can be quite hard to grok when he's
angry.

The OpenBSD patch:

Index: sys/arch/i386/i386/locore.s
===================================================================
RCS file: /cvs/src/sys/arch/i386/i386/locore.s,v
retrieving revision 1.80
retrieving revision 1.80.2.1
diff -u -p -r1.80 -r1.80.2.1
--- sys/arch/i386/i386/locore.s 20 Jul 2004 20:16:44 -0000 1.80
+++ sys/arch/i386/i386/locore.s 27 Feb 2005 00:57:02 -0000 1.80.2.1
@@ -1242,6 +1242,8 @@ ENTRY(copyoutstr)

1: decl %edx
jz 2f
+ cmpl $VM_MAXUSER_ADDRESS,%edi
+ jae _C_LABEL(copystr_fault)
lodsb
stosb
testb %al,%al
** snip **

My adaptation of it for NetBSD:
Index: sys/arch/i386/i386/locore.S
===================================================================
RCS file: /disks/wd1a/nb/anoncvs/src/sys/arch/i386/i386/locore.S,v
retrieving revision 1.32
diff -u -r1.32 locore.S
--- sys/arch/i386/i386/locore.S 2 Mar 2005 12:00:25 -0000       1.32
+++ sys/arch/i386/i386/locore.S 14 Mar 2005 01:52:22 -0000
@@ -1172,6 +1172,8 @@

1:     decl    %edx
       jz      2f
+       cmpl $VM_MAXUSER_ADDRESS,%edi
+       jae _C_LABEL(copystr_fault)
       lodsb
       stosb
       testb   %al,%al
** snip **

Do we need this?
-- 
Sean