netbsd-bugs: kern/29399: mmap/memcpy() can crash -current from userland

Subject: kern/29399: mmap/memcpy() can crash -current from userland
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Tyler Retzlaff <rtr@silence.omicron-persei-8.net>
List: netbsd-bugs
Date: 02/16/2005 13:02:00

>Number:         29399
>Category:       kern
>Synopsis:       mmap/memcpy() can crash -current from userland
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 16 13:02:00 +0000 2005
>Originator:     Tyler Retzlaff
>Release:        NetBSD 2.99.15
>Organization:
>Environment:
System: NetBSD silence.omicron-persei-8.net 2.99.15 NetBSD 2.99.15 (_silence_) #0: Fri Feb 11 21:21:21 EST 2005 rtr@elysium.omicron-persei-8.net:/var/obj/_silence_ i386
Architecture: i386
Machine: i386
>Description:
use of mmap/memcpy as an unprivileged user can cause netbsd to crash

>How-To-Repeat:
int
main(int argc, char **argv)
{
        int fd;
        size_t len;
        void *ptr;
        char *str = "hello\n";

	if (-1 == (fd = open("zero", O_CREAT, O_RDWR)))
		perror("failed open");

	if (NULL == (ptr = mmap(0, strlen(str), PROT_READ|PROT_WRITE,
	    MAP_PRIVATE, fd, 0)))
                perror("failed mmap");

	memcpy(ptr, str, strlen(str));
}
>Fix: