rs_read_proc() was wrong:
it set the "start" pointer to the wrong address, thus it leaks kernel
memory and can crash if you read from a file position !=0.
Unfortunately, at least 11 drivers copied the wrong line :-(
The patch seems obviously correct (tm), could you add it to the next
kernel?
-- Manfred P.S.: I found these functions with "grep 'begin.*-.*off'". I've also written a short script that compares "dd bs=1" and "dd bs=2048", but that scripts complains about virtually every proc entry./proc/locks: read one byte, returns 1536.
// $Header$ // Kernel Version: // VERSION = 2 // PATCHLEVEL = 3 // SUBLEVEL = 99 // EXTRAVERSION = -pre5 --- 2.3/fs/proc/proc_tty.c Tue Dec 7 10:48:57 1999 +++ build-2.3/fs/proc/proc_tty.c Thu Apr 20 08:46:23 2000 @@ -93,7 +93,7 @@ *eof = 1; if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } @@ -123,7 +123,7 @@ *eof = 1; if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/net/irda/ircomm/ircomm_tty.c Sun Feb 27 08:57:12 2000 +++ build-2.3/net/irda/ircomm/ircomm_tty.c Thu Apr 20 09:01:12 2000 @@ -1346,7 +1346,7 @@ done: if (offset >= count+begin) return 0; - *start = buf + (begin-offset); + *start = buf + (offset-begin); return ((len < begin+count-offset) ? len : begin+count-offset); } --- 2.3/drivers/char/serial.c Wed Apr 12 15:00:21 2000 +++ build-2.3/drivers/char/serial.c Thu Apr 20 09:01:32 2000 @@ -3159,7 +3159,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/char/nvram.c Mon Feb 14 16:20:54 2000 +++ build-2.3/drivers/char/nvram.c Thu Apr 20 09:02:49 2000 @@ -372,7 +372,7 @@ if (offset >= begin + len) return( 0 ); - *start = buffer + (begin - offset); + *start = buffer + (offset - begin); return( size < begin + len - offset ? size : begin + len - offset ); } --- 2.3/drivers/char/synclink.c Thu Jan 6 22:56:56 2000 +++ build-2.3/drivers/char/synclink.c Thu Apr 20 09:03:03 2000 @@ -3901,7 +3901,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } /* end of mgsl_read_proc() */ --- 2.3/drivers/char/ip2main.c Thu Feb 10 22:38:58 2000 +++ build-2.3/drivers/char/ip2main.c Thu Apr 20 09:03:19 2000 @@ -3150,7 +3150,7 @@ if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/char/amiserial.c Fri Mar 24 11:10:17 2000 +++ build-2.3/drivers/char/amiserial.c Thu Apr 20 09:03:36 2000 @@ -2066,7 +2066,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/isdn/avmb1/capi.c Fri Mar 24 11:10:17 2000 +++ build-2.3/drivers/isdn/avmb1/capi.c Thu Apr 20 09:05:09 2000 @@ -1835,7 +1835,7 @@ *eof = 1; if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/isdn/avmb1/kcapi.c Fri Mar 24 11:10:17 2000 +++ build-2.3/drivers/isdn/avmb1/kcapi.c Thu Apr 20 09:05:18 2000 @@ -270,7 +270,7 @@ *eof = 1; if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/sbus/char/sab82532.c Wed Mar 15 08:48:52 2000 +++ build-2.3/drivers/sbus/char/sab82532.c Thu Apr 20 09:05:36 2000 @@ -2092,7 +2092,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/drivers/sbus/char/su.c Wed Mar 15 08:48:52 2000 +++ build-2.3/drivers/sbus/char/su.c Thu Apr 20 09:05:52 2000 @@ -2204,7 +2204,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/arch/mips/baget/vacserial.c Sun Feb 27 08:57:07 2000 +++ build-2.3/arch/mips/baget/vacserial.c Thu Apr 20 09:06:12 2000 @@ -2168,7 +2168,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); } --- 2.3/arch/ppc/8xx_io/uart.c Wed Apr 12 15:00:16 2000 +++ build-2.3/arch/ppc/8xx_io/uart.c Thu Apr 20 09:06:55 2000 @@ -2063,7 +2063,7 @@ done: if (off >= len+begin) return 0; - *start = page + (begin-off); + *start = page + (off-begin); return ((count < begin+len-off) ? count : begin+len-off); }
#!/bin/sh cd /proc for i in `find -type f -not -path '*ide*' -not -path '*sys/acpi/event' -not -path './sys/*' -not -path './kcore' -not -path './kmem' -not -path './mem' -not -path './kmsg'`;do dd if=$i of=/tmp/file1 bs=1 >/dev/null 2>&1 dd if=$i of=/tmp/file2 bs=2048 >/dev/null 2>&1 diff /tmp/file{1,2} > /dev/null if [ $? -ne 0 ]; then echo "Mismatch: $i" fi done
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:16 EST