fb & linprocfs

Christer Öberg christer.oberg at deprotect.com
Thu Aug 12 14:51:06 PDT 2004


Hi,

I noticed that a bug I discovered in FreeBSD a while back still is 
present in DF. Also there is a kernel mem disclosure bug in linprocfs. 
See attached diffs..


--- dev/video/fb/vga.c	2004-02-24 20:42:19.000000000 +0100
+++ dev/video/fb/vga.c.new	2004-08-11 16:18:00.000000000 +0200
@@ -2848,7 +2848,7 @@
     u_char *g;
     u_char *b;
 
-    if ((base < 0) || (base >= 256) || (base + count > 256))
+    if ((base < 0) || (base >= 256) || (count < 0) || (base + count > 256))
 	return EINVAL;
 
     r = malloc(count*3, M_DEVBUF, M_WAITOK);
@@ -2877,7 +2877,7 @@
     u_char *b;
     int err;
 
-    if ((base < 0) || (base >= 256) || (base + count > 256))
+    if ((base < 0) || (base >= 256) || (count < 0) || (base + count > 256))
 	return EINVAL;
 
     r = malloc(count*3, M_DEVBUF, M_WAITOK);
--- emulation/linux/i386/linprocfs/linprocfs_misc.c	2003-10-12 02:52:48.000000000 +0200
+++ emulation/linux/i386/linprocfs/linprocfs_misc.c.new	2004-08-11 13:37:22.000000000 +0200
@@ -486,7 +486,6 @@
 		    struct pfsnode *pfs, struct uio *uio)
 {
 	char *ps, psbuf[512];
-	int xlen;
 
 	ps = psbuf;
 	ps += sprintf(ps, "%d.%02d %d.%02d %d.%02d %d/%d %d\n",
@@ -500,10 +499,7 @@
 	    -1,                     /* number of tasks */
 	    nextpid         /* The last pid */
 	);
-	xlen = ps - psbuf;
-	xlen -= uio->uio_offset;
-	ps = psbuf + uio->uio_offset;
-	xlen = imin(xlen, uio->uio_resid);
-	return (xlen <= 0 ? 0 : uiomove(ps, xlen, uio));
+
+	return (uiomove_frombuf(psbuf, ps - psbuf, uio));
 }
 




More information about the Bugs mailing list