Subject: two localhost panics

Two localhost panics were recently fixed in the OpenBSD source tree.
We do not believe these can be used to escalate privileges but they
can be used to crash a machine given local access.

The first bug involves an unsigned integer wraparound in uvm_vslock()
and uvm_vsunlock() that can be triggered by passing the sysctl()
function certain arguments.

Fixes have been committed to the 3.3 and 3.4 -stable cvs branches,
and patches are also available at:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/007_uvm.patch
and
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/012_uvm.patch

The second bug was due to an incorrect bounds check in the semop()
and semctl() functions that can be triggered by passing certain
arguments to these functions when the kern.seminfo.semmni sysctl
value is less than the value of kern.seminfo.semmsl (this is the
case for the default settings).

Fixes have been committed to the 3.3 and 3.4 -stable cvs branches,
and patches are also available at:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/008_sem.patch
and
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/013_sem.patch

Alternately, a workaround is to set kern.seminfo.semmni equal to
kern.seminfo.semmsl, e.g.
    sysctl -w kern.seminfo.semmni=`sysctl -n kern.seminfo.semmsl`