Created attachment 243805 [details] a cd9660 image that causes cd9660_rrip_cont() to read beyond the end of a buf cd9660_rrip_loop() checks that the SUSP header is within the buf: while (pend >= phead + 1) { But individual RRIP functions access fields beyond phead+1, and as a result can crash if phead is just before the end of the buf. I've attached a demo image: # gunzip cd1a.iso.gz # mdconfig cd1a.iso # mount_cd9660 /dev/md0 /mnt panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc003a35000 --- exception 13, tval = 0xffffffc003a35001 isonum_733() at isonum_733+0x8 cd9660_rrip_cont() at cd9660_rrip_cont+0x16 cd9660_rrip_loop() at cd9660_rrip_loop+0xfa cd9660_rrip_offset() at cd9660_rrip_offset+0x70 iso_mountfs() at iso_mountfs+0x692 cd9660_mount() at cd9660_mount+0x1a2 vfs_domount_first() at vfs_domount_first+0x1cc vfs_domount() at vfs_domount+0x26c vfs_donmount() at vfs_donmount+0x82c sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xe0 ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf2 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount)