rick@nyit.UUCP (Rick Ace) (03/14/86)
[] Description: It's rather easy for anyone with read access to /dev/kmem to crash a 4.2bsd VAX with a trap-9 (protection fault) panic. Apparently, kernacc() (in vax/locore.s) gets confused when called to verify access to a region of memory that straddles P1 and S0 space, ultimately making a wild reference. Even well-intentioned utilities such as "ps" and "uptime" can conceivably trip over this bug because they are taking snapshots of data that is changing out from underneath them. Repeat-By: char buf[168]; main() { int fd; fd = open("/dev/kmem", 0); if (fd < 0) { perror("/dev/kmem"); exit(1); } lseek(fd, 0x7fffffff, 0); /* begin near the end of P1 space */ read(fd, buf, sizeof buf); /* crosses from P1 into S0 space */ } Fix: One possible fix to kernacc() would check for a region that began in one quadrant of virtual memory and ended in a different quadrant. If so, the existing kernacc logic could be invoked twice, to verify each quadrant's portion independently. I haven't tried this yet. ----- Rick Ace Computer Graphics Laboratory New York Institute of Technology Old Westbury, NY 11568 (516) 686-7644 {decvax,seismo}!philabs!nyit!rick
chris@umcp-cs.UUCP (Chris Torek) (03/22/86)
My 4.3ish kernel does not crash with Rick's example, but the bug is real. As a quick fix, I would suggest just disallowing accesses to discontiguous regions. (The only one that makes even slight sense is P1/S space, and no current programs cross the boundary in a single read, or at least not intentionally.) Change the very beginning of kernacc to read as follows (just add the lines marked): ENTRY(kernacc, 0) # in 4.2 it was `_kernacc:', I think movl 4(ap),r0 # virtual address + bicl3 $0x3fffffff,r0,r1 + addl3 8(ap),r0,r2 # ending virtual address + bicl2 $0x3fffffff,r2 + cmpl r1,r2 # same region? + bneq kacerr # no, disallow it bbcc $31,r0,kacc1 . . . Warning: the above is untested. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 1415) UUCP: seismo!umcp-cs!chris CSNet: chris@umcp-cs ARPA: chris@mimsy.umd.edu