A read of 2^32 bytes can trigger an endless loop in randomread(), due to integer truncation when passing a size_t argument to min(). There is a similar issue in randomwrite().
The diff included below is a minimal version of a similar diff I've sent to tech@ some months ago, but with peripheral changes, like converting uiomovei() to uiomove() or adding unnecessary casts, removed. This should make the diff easier to review. See http://marc.info/?l=openbsd-tech&m=142850699715734 for reference. Index: dev/rnd.c =================================================================== RCS file: /cvs/src/sys/dev/rnd.c,v retrieving revision 1.176 diff -u -p -r1.176 rnd.c --- dev/rnd.c 27 Oct 2015 11:13:06 -0000 1.176 +++ dev/rnd.c 26 Dec 2015 10:26:09 -0000 @@ -840,7 +840,7 @@ randomread(dev_t dev, struct uio *uio, i } while (ret == 0 && uio->uio_resid > 0) { - int n = min(POOLBYTES, uio->uio_resid); + int n = ulmin(POOLBYTES, uio->uio_resid); if (myctx) { #ifndef KEYSTREAM_ONLY @@ -872,7 +872,7 @@ randomwrite(dev_t dev, struct uio *uio, buf = malloc(POOLBYTES, M_TEMP, M_WAITOK); while (ret == 0 && uio->uio_resid > 0) { - int n = min(POOLBYTES, uio->uio_resid); + int n = ulmin(POOLBYTES, uio->uio_resid); ret = uiomovei(buf, n, uio); if (ret != 0) cheers, natano
