A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.

sample output:

% cd /sys/lib/kbmap % touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa % kbmap kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df

offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.

I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap if I can figure out the nuances of doing so.

--silasm

fixed, thanks!