fb & linprocfs
Christer Öberg
christer.oberg at deprotect.com
Thu Aug 12 14:51:06 PDT 2004
Hi,
I noticed that a bug I discovered in FreeBSD a while back still is
present in DF. Also there is a kernel mem disclosure bug in linprocfs.
See attached diffs..
--- dev/video/fb/vga.c 2004-02-24 20:42:19.000000000 +0100
+++ dev/video/fb/vga.c.new 2004-08-11 16:18:00.000000000 +0200
@@ -2848,7 +2848,7 @@
u_char *g;
u_char *b;
- if ((base < 0) || (base >= 256) || (base + count > 256))
+ if ((base < 0) || (base >= 256) || (count < 0) || (base + count > 256))
return EINVAL;
r = malloc(count*3, M_DEVBUF, M_WAITOK);
@@ -2877,7 +2877,7 @@
u_char *b;
int err;
- if ((base < 0) || (base >= 256) || (base + count > 256))
+ if ((base < 0) || (base >= 256) || (count < 0) || (base + count > 256))
return EINVAL;
r = malloc(count*3, M_DEVBUF, M_WAITOK);
--- emulation/linux/i386/linprocfs/linprocfs_misc.c 2003-10-12 02:52:48.000000000 +0200
+++ emulation/linux/i386/linprocfs/linprocfs_misc.c.new 2004-08-11 13:37:22.000000000 +0200
@@ -486,7 +486,6 @@
struct pfsnode *pfs, struct uio *uio)
{
char *ps, psbuf[512];
- int xlen;
ps = psbuf;
ps += sprintf(ps, "%d.%02d %d.%02d %d.%02d %d/%d %d\n",
@@ -500,10 +499,7 @@
-1, /* number of tasks */
nextpid /* The last pid */
);
- xlen = ps - psbuf;
- xlen -= uio->uio_offset;
- ps = psbuf + uio->uio_offset;
- xlen = imin(xlen, uio->uio_resid);
- return (xlen <= 0 ? 0 : uiomove(ps, xlen, uio));
+
+ return (uiomove_frombuf(psbuf, ps - psbuf, uio));
}
More information about the Bugs
mailing list