Wakko Warner wrote:
>
> > > Also sprach Craig Whitmore:
> > > } With 2.3.99-pre6 (haven't checked any other versions)
> > > }
> > > } [root@lennon /proc]# more misc
> > > } Segmentation fault
> > > } [root@lennon /proc]# cat misc
> > > } 175 agpgart
> > > } 63 tdfx
> > > } 1 psaux
> > > }
> > > } I don't think this should happen..
> > > }
> > > IMHO, probably not. But it does this in "stable" kernels as well ;-)
> > >
Very simple&stupid bug:
try
strace dd if=/proc/misc bs=1
read(fd,buf,1) returns more than 1 byte, thus it overruns a user space
buffer in more, and crashes. It won't oops.
I've attached an untested patch, it should fix the bug in 2.2 & 2.3
-- Manfred
--- 2.2/drivers/char/misc.c Thu May 4 09:40:08 2000 +++ build-2.2/drivers/char/misc.c Fri May 5 13:43:39 2000 @@ -89,12 +89,18 @@ int len, int *eof, void *private) { struct miscdevice *p; + int written; - len=0; - for (p = misc_list.next; p != &misc_list && len < 4000; p = p->next) - len += sprintf(buf+len, "%3i %s\n",p->minor, p->name ?: ""); + written=0; + for (p = misc_list.next; p != &misc_list && written < 4000; p = p->next) + written += sprintf(buf+written, "%3i %s\n",p->minor, p->name ?: ""); *start = buf + offset; - return len > offset ? len - offset : 0; + written -= offset; + if (written < 0) + return 0; + if (written < len) + return written; + return len; }
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:17 EST