[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

oskit-mach: vm_map_copyout crash

From: Daniel Wagner
Subject: oskit-mach: vm_map_copyout crash
Date: Sun, 28 Oct 2001 13:47:38 +0100
User-agent: Mutt/1.2.5i


I found an easy way to crash oskit-mach reproducable. The attached
buggy program does it. Be warned: the crash leaves your system in
horrible condition (as always).

This is what I get from the gdb (remote debugging):

Breakpoint 1, panic (fmt=0x21f7ca "vm_map_copyout: wiring 0x%x")
    at ../../../oskit-20010214/libc/gen/panic.c:31
31              va_start(vl, fmt);
(gdb) bt
#0  panic (fmt=0x21f7ca "vm_map_copyout: wiring 0x%x")
    at ../../../oskit-20010214/libc/gen/panic.c:31
#1  0x001300b1 in vm_map_copyout ()
#2  0x00104e7d in ipc_kmsg_copyout_body ()
#3  0x00104f62 in ipc_kmsg_copyout ()
#4  0x00113d06 in mach_msg_continue ()


#include <device/device.h>
#include <mach/kern_return.h>
#include <mach/port.h>

#include <assert.h>
#include <error.h>
#include <hurd/ports.h>
#include <mach.h>

struct port_class *etherreadclass;
device_t ether_port;  
struct port_info *readpt;  
mach_port_t readptname;
static struct port_bucket *etherport_bucket;

static short ether_filter[] =
static int ether_filter_len = sizeof (ether_filter) / sizeof (short);

main(int argc, int argv)
  error_t err;
  device_t master_device;
  u_int count;
  char *interface = "eth0";
  unsigned char *frame;

  etherport_bucket = ports_create_bucket ();
  etherreadclass = ports_create_class (0, 0);
  err = ports_create_port (etherreadclass, etherport_bucket,
                           sizeof (struct port_info), &readpt);
  assert_perror (err);
  readptname = ports_get_right (readpt);
  mach_port_insert_right (mach_task_self (), readptname, 
                          readptname, MACH_MSG_TYPE_MAKE_SEND);
  mach_port_set_qlimit (mach_task_self (), readptname, MACH_PORT_QLIMIT_MAX);

  err = get_privileged_ports (0, &master_device);
  if (err)
    error (2, err, "cannot get device master port");

  err = device_open (master_device, D_WRITE | D_READ, interface, &ether_port);
  mach_port_deallocate (mach_task_self (), master_device);
  if (err)
    error (2, err, "%s", interface);
  err = device_set_filter (ether_port, ports_get_right (readpt),
                           MACH_MSG_TYPE_MAKE_SEND, 0,
                           ether_filter, ether_filter_len);
  if (err)
    error (2, err, "%s", interface);

  frame = (unsigned char*) malloc (66);
  err =  device_write (ether_port, D_NOWAIT, 0, 
                       frame, sizeof (frame), &count);

  if (err)
    error (2, err "%s", interface);

  mach_port_deallocate (mach_task_self (), ether_port);
  ports_destroy_right (readptname);
  return 0;

Daniel Wagner                              "use quit to exit"
email: wagi@gmx.ch

GnuPG: 1024D/DCDE890A (public key available on any keyserver)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]