A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.
sample output:
% cd /sys/lib/kbmap
% touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df
offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c,
which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.
I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap
if I can figure out the nuances of doing so.
--silasm