From nobody  Sun Sep 21 01:54:47 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id BAA22484;
          Sun, 21 Sep 1997 01:54:47 -0700 (PDT)
Message-Id: <199709210854.BAA22484@hub.freebsd.org>
Date: Sun, 21 Sep 1997 01:54:47 -0700 (PDT)
From: amb@elvisti.kiev.ua
To: freebsd-gnats-submit@freebsd.org
Subject: kbdcontrol reboting machine
X-Send-Pr-Version: www-1.0

>Number:         4592
>Category:       bin
>Synopsis:       kbdcontrol reboting machine
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    sos
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 21 02:00:01 PDT 1997
>Closed-Date:    Wed Oct 22 20:24:15 PDT 1997
>Last-Modified:  Wed Oct 22 20:26:20 PDT 1997
>Originator:     Andrei Biryukov
>Release:        FreeBSD-2,2-970618-RELENG
>Organization:
Elvisti Informetion Cente
>Environment:
FreeBSD pinta.elvisti.kiev.ua 2.2-970618-RELENG FreeBSD 2.2-970618-RELENG #0: Wed Aug 27 16:09:00 GMT 1997     root@pinta.elvisti.kiev.ua:/usr/src/sys/compile/PINTA  i386

>Description:
if
cbdcontrol -h 1000000000000000000000000000000000
then machine reboot
>How-To-Repeat:
kbdcontrol -h 100000000000000000000000000000000000
>Fix:

>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: amb@elvisti.kiev.ua, freebsd-gnats-submit@FreeBSD.ORG
Cc:  Subject: Re: bin/4592: kbdcontrol reboting machine
Date: Sun, 21 Sep 1997 23:25:14 +1000

 >>Description:
 >if
 >cbdcontrol -h 1000000000000000000000000000000000
  k
 >then machine reboot
 
 There are several bugs here.
 
 1. -h (set console history buffer size) should be a vidcontrol option.
 2. 1000000000000000000000000000000000 is misinterpreted by atoi() as
    usual and overflows to 0x7fffffff.
 3. syscons.c accepts the preposterous size of 0x7fffffff (lines) and
    does several potentially overflowing multiplications, first by the
    screen width (normally 80), then by 2.  0x7fffffff * 80 overflows
    to 0xffffffb0.  0xffffffb0 * 2 overflows to 0xffffff60.
 4. The old history buffer is freed before allocating the new one or
    setting the old history pointers to NULL, so the system panics
    if you trace through the code using ddb.  More seriously, the
    system would panic if a kernel printf occurred while the pointers
    are invalid.
 5. malloc() accepts the preposterous size of 0xffffff60 and does an
    overflowing roundup() to size 0.
 6. kmem_malloc() can't handle a size of 0 and panics nicely with
    "kmem_malloc: entry not found or misaligned".
 7. Unless a serial console is used, the panic is actually nasty because
    of bug (4).  Here (using ddb) the first line of the panic gets printed
    OK; then then the system hangs when syscons attempts to update the
    history for scrolling.
 
 The bugs are all in syscons and its utilities except for (5) and (6).
 For the less preposterous size of 12500000 which avoids overflows and
 could be satisfied by a measly 2GB of kernel memory, malloc() can do no
 better than panic.  It prints the more appropriate message "kmem_malloc:
 kmem_map too small".  Syscons should avoid passing preposterous sizes.
 
 Bruce
Responsible-Changed-From-To: freebsd-bugs->sos 
Responsible-Changed-By: wosch 
Responsible-Changed-When: Sun Sep 21 17:08:06 PDT 1997 
Responsible-Changed-Why:  
syscons is sos's area 
State-Changed-From-To: open->closed 
State-Changed-By: yokota 
State-Changed-When: Wed Oct 22 20:24:15 PDT 1997 
State-Changed-Why:  
Fixed in syscons.c 1.235. 
>Unformatted:
