From valeks@alpha.valabs.spb.ru  Tue Mar 25 12:55:54 2003
Return-Path: <valeks@alpha.valabs.spb.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 42D9E37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Mar 2003 12:55:54 -0800 (PST)
Received: from alpha.valabs.spb.ru (dialup92-148.ip.PeterStar.net [217.195.92.148])
	by mx1.FreeBSD.org (Postfix) with SMTP id 62D0A43F93
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Mar 2003 12:55:51 -0800 (PST)
	(envelope-from valeks@alpha.valabs.spb.ru)
Received: (qmail 898 invoked by uid 1001); 25 Mar 2003 20:55:50 -0000
Message-Id: <20030325205550.897.qmail@alpha.valabs.spb.ru>
Date: 25 Mar 2003 20:55:50 -0000
From: Valentin A.Alekseev <valeks@valabs.spb.ru>
Reply-To: Valentin A.Alekseev <valeks@valabs.spb.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: unlimited usage of AGP memory make system hung
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         50298
>Category:       kern
>Synopsis:       [hang] unlimited usage of AGP memory make system hung
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 25 13:00:26 PST 2003
>Closed-Date:    Sun Dec 19 06:40:54 GMT 2004
>Last-Modified:  Sun Dec 19 06:40:54 GMT 2004
>Originator:     Valentin A. Alekseev
>Release:        FreeBSD 5.0-RELEASE-p6 i386
>Organization:
Valentin A. Alekseev
>Environment:
System: FreeBSD alpha.valabs.spb.ru 5.0-RELEASE-p6 FreeBSD 5.0-RELEASE-p6 #3: Sun Mar 23 00:55:36 MSK 2003 valeks@alpha.valabs.spb.ru:/usr/src/sys/i386/compile/ALPHA i386

/usr/src/sys/pci/agp.c:
     $FreeBSD: src/sys/pci/agp.c,v 1.22 2002/11/13 17:40:15 mux Exp $

XFree86 Version 4.3.0
Release Date: 27 February 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: FreeBSD 5.0-RELEASE-p4 i386 [ELF] 

     
>Description:
	
	AGP aperture memory allocated in kernel address space with no limits
	ever set. This is exploitable both by root and non-root users using
	either AGPIOC_* ioctl's directly or using any gl function with realy
	big arguments (for the first time this was discovered for glTexImage2D
	function on XFree86 4.3.0).
>How-To-Repeat:
	Exploit is located at http://www.valabs.spb.ru/files/agpdos.c (1,6K)
>Fix:
	Currently no fix or patch made by me.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: anholt 
State-Changed-When: Sun Aug 22 03:59:40 GMT 2004 
State-Changed-Why:  
Can anyone reproduce this?  I have tried to a couple of times, and both 
times it was killed by the OOM killer or had some other relatively graceful 
failure (don't remember). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50298 
State-Changed-From-To: feedback->closed 
State-Changed-By: anholt 
State-Changed-When: Sun Dec 19 06:38:45 GMT 2004 
State-Changed-Why:  
Feedback timeout, > 3 months.  Couldn't reproduce. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50298 
>Unformatted:
