[5412] in Athena Bugs
kernel kmem_free()
daemon@ATHENA.MIT.EDU (John Carr)
Wed Jul 4 13:09:50 1990
To: bugs@ATHENA.MIT.EDU
Date: Wed, 04 Jul 90 13:09:39 EDT
From: John Carr <jfc@ATHENA.MIT.EDU>
The bounds check in this function is insufficient. It should read
if (ptr < (caddr_t) usrpt ||
ptr + nbytes >= (caddr_t) usrpt + USRPTSIZE*NBPG) {
instead of
if (ptr < (caddr_t) usrpt ||
ptr > (caddr_t) usrpt + USRPTSIZE*NBPG) {
The current version allows 1 + nbytes invalid addresses to pass. A
dialup server crashed recently with "panic: kmem_free". I verified
that kmem_alloc had returned a bad address; this can only happen if
kmem_free allows a bad block into the pool or something overwrites
part of the kmem_alloc pool. I suspect the former.
Dump is E40-008-8:/usr/crash/vm*.1.
