The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to
/dev is available, allows local users to cause a denial of service
(kernel panic) via a certain IOCTL request with a large count, which
triggers a malloc call with a large value.
*** This bug has been marked as a duplicate of bug 277662 ***