Re: grep /proc/slabinfo + rm -rf => lockup
From: Andrew Morton
Date: Wed Jun 28 2006 - 17:19:57 EST
Alexey Dobriyan <adobriyan@xxxxxxxxx> wrote:
>
> VT1: while true; do grep xfs /proc/slabinfo; done
> VT2: rm -rf linux-vanilla
Yup, we have a buffer overrun in /proc/slabinfo.
From: Andrew Morton <akpm@xxxxxxxx>
The recent vsnprintf() fix introduced an off-by-one, and it's now possible to
overrun the target buffer by one byte. Fix it so that local variable `end'
_really_ points at the last writeable byte.
[jeremy@xxxxxxxx: make the `size==0' case work properly]
Signed-off-by: Jeremy Fitzhardinge <jeremy@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
lib/vsprintf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff -puN lib/vsprintf.c~vsnprintf-fix lib/vsprintf.c
--- a/lib/vsprintf.c~vsnprintf-fix
+++ a/lib/vsprintf.c
@@ -259,7 +259,9 @@ int vsnprintf(char *buf, size_t size, co
int len;
unsigned long long num;
int i, base;
- char *str, *end, c;
+ char *str; /* Where we're writing to */
+ char *end; /* The terminal '\0' (if any) */
+ char c;
const char *s;
int flags; /* flags to number() */
@@ -283,7 +285,10 @@ int vsnprintf(char *buf, size_t size, co
}
str = buf;
- end = buf + size;
+ if (size > 0)
+ end = buf + size - 1;
+ else
+ end = buf;
/* Make sure end is always >= buf */
if (end < buf) {
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/