From: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
To: Alexander Nyberg <alexn@telia.com>
Cc: Andrew Morton <akpm@osdl.org>, linux-kernel@vger.kernel.org
Subject: Re: 2.6.13-mm3 [OOPS] vfs, page_owner, full reproductively, badness in vsnprintf
Date: Mon, 12 Sep 2005 23:13:21 +0200 [thread overview]
Message-ID: <6bffcb0e05091214133c189d05@mail.gmail.com> (raw)
In-Reply-To: <20050912175433.GA8574@localhost.localdomain>
Hi,
On 12/09/05, Alexander Nyberg <alexn@telia.com> wrote:
>
> Gah, I'm such a fantastic programmer.
>
> I don't know what mc is up to but the error checking in read_page_owner
> is flawed wrt snprintf which could cause the 'size' argument to snprintf
> to become negative and if so overwrite beyond 'buf'.
>
> Again, I fail to see how mc causes this to happen, but this fixes it
> by proper error checking.
>
> Signed-off-by: Alexander Nyberg <alexn@telia.com>
Thanks, patch solved problem.
Here is version, that clean apply on 2.6.13-mm3. Can you review it?
Regards,
Michal Piotrowski
Signed-off-by: Michal K. K. Piotrowski <michal.k.k.piotrowski@gmail.com>
diff -uprN -X linux-mm-clean/Documentation/dontdiff
linux-mm-clean/fs/proc/proc_misc.c linux-mm/fs/proc/proc_misc.c
--- linux-mm-clean/fs/proc/proc_misc.c 2005-09-12 23:02:10.000000000 +0200
+++ linux-mm/fs/proc/proc_misc.c 2005-09-12 22:52:51.000000000 +0200
@@ -567,6 +567,7 @@ read_page_owner(struct file *file, char
char namebuf[128];
unsigned long offset = 0, symsize;
int i;
+ ssize_t num_written = 0;
pfn = min_low_pfn + *ppos;
page = pfn_to_page(pfn);
@@ -587,23 +588,41 @@ read_page_owner(struct file *file, char
kbuf = kmalloc(count, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
+ ret = snprintf(kbuf, count, "Page allocated via order %d,
mask 0x%x\n", page->order, page->gfp_mask);
+ if (ret >= count) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ num_written = ret;
- ret = snprintf(kbuf, 1024, "Page allocated via order %d, mask 0x%x\n",
- page->order, page->gfp_mask);
for (i = 0; i < 8; i++) {
if (!page->trace[i])
break;
symname = kallsyms_lookup(page->trace[i], &symsize, &offset,
&modname, namebuf);
- ret += snprintf(kbuf + ret, count - ret, "[0x%lx] %s+%lu\n",
+ ret = snprintf(kbuf + num_written, count -
num_written, "[0x%lx] %s+%lu\n",
page->trace[i], namebuf, offset);
+ if (ret >= count - num_written) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ num_written += ret;
+
}
+ ret = snprintf(kbuf + num_written, count - num_written, "\n");
+ if (ret >= count - num_written) {
+ ret = -ENOMEM;
+ goto out;
+ }
- ret += snprintf(kbuf + ret, count -ret, "\n");
+ num_written += ret;
+ ret = num_written;
if (copy_to_user(buf, kbuf, ret))
ret = -EFAULT;
+out:
kfree(kbuf);
return ret;
}
next prev parent reply other threads:[~2005-09-12 21:13 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-12 9:43 2.6.13-mm3 Andrew Morton
2005-09-12 11:47 ` 2.6.13-mm3 Michal Piotrowski
2005-09-12 11:48 ` 2.6.13-mm3 [OOPS] vfs, page_owner, full reproductively, badness in vsnprintf Michal Piotrowski
2005-09-12 17:54 ` Alexander Nyberg
2005-09-12 18:48 ` Ingo Oeser
2005-09-12 21:13 ` Michal Piotrowski [this message]
2005-09-12 22:44 ` Andrew Morton
2005-09-12 22:56 ` Michal Piotrowski
2005-09-12 23:16 ` Andrew Morton
2005-09-12 13:15 ` 2.6.13-mm3 Reuben Farrelly
2005-09-12 14:17 ` 2.6.13-mm3 BUG in ntfs or slab Jiri Slaby
2005-09-12 14:21 ` Jiri Slaby
2005-09-12 14:45 ` Anton Altaparmakov
2005-09-12 14:17 ` 2.6.13-mm3 Andrew Walrond
2005-09-12 14:26 ` 2.6.13-mm3 Nick Piggin
2005-09-12 14:54 ` 2.6.13-mm3 Sonny Rao
2005-09-12 19:56 ` 2.6.13-mm3 Andrew Morton
2005-09-12 20:09 ` 2.6.13-mm3 Sonny Rao
2005-09-12 20:55 ` 2.6.13-mm3 Andrew Morton
2005-09-12 21:03 ` 2.6.13-mm3 Danny ter Haar
2005-09-12 22:06 ` 2.6.13-mm3 Sonny Rao
2005-09-12 22:47 ` 2.6.13-mm3 Martin J. Bligh
2005-09-13 5:19 ` 2.6.13-mm3 Danny ter Haar
2005-09-13 6:35 ` 2.6.13-mm3 Sonny Rao
2005-09-13 5:14 ` 2.6.13-mm3 Danny ter Haar
2005-09-13 7:02 ` 2.6.13-mm3 Sonny Rao
2005-09-13 14:31 ` 2.6.13-mm3 Martin J. Bligh
2005-09-13 18:32 ` 2.6.13-mm3 Sonny Rao
2005-09-13 18:46 ` 2.6.13-mm3 Sonny Rao
2005-09-12 15:19 ` 2.6.13-mm3 Paolo Ciarrocchi
2005-09-12 20:13 ` 2.6.13-mm3 Nish Aravamudan
2005-09-12 21:04 ` 2.6.13-mm3 Paolo Ciarrocchi
2005-09-12 21:07 ` 2.6.13-mm3 Nish Aravamudan
2005-09-12 22:50 ` 2.6.13-mm3 Martin J. Bligh
2005-09-12 19:40 ` 2.6.13-mm3 Sonny Rao
[not found] ` <200509122106.j8CL6WPk006092@wscnet.wsc.cz>
2005-09-12 21:49 ` 2.6.13-mm3 Sonny Rao
2005-09-12 22:10 ` 2.6.13-mm3 Sonny Rao
2005-09-13 0:51 ` 2.6.13-mm3 Jiri Slaby
2005-09-13 5:58 ` 2.6.13-mm3 Sonny Rao
[not found] ` <20050912222437.GA13124@sergelap.austin.ibm.com>
2005-09-12 23:10 ` ibmvscsi badness (Re: 2.6.13-mm3) Andrew Morton
2005-09-13 1:38 ` Anton Blanchard
2005-09-13 8:56 ` serue
2005-09-13 15:09 ` [Patch] ibmvscsi compatibility fix Dave C Boutcher
2005-09-13 15:18 ` James Bottomley
2005-09-13 18:10 ` Serge E. Hallyn
2005-09-13 19:16 ` Serge E. Hallyn
2005-09-13 4:04 ` ibmvscsi badness (Re: 2.6.13-mm3) Anton Blanchard
2005-09-13 5:10 ` Dave C Boutcher
2005-09-18 0:38 ` Benjamin Herrenschmidt
2005-09-13 0:02 ` drivers/usb/class/bluetty.c does NOT build Lion Vollnhals
2005-09-13 0:10 ` Andrew Morton
2005-09-13 0:34 ` [PATCH] usb: bluetty fix old tty buffer using Jiri Slaby
2005-09-15 18:58 ` 2.6.13-mm3 (general protection fault) Dominik Karall
2005-09-15 19:34 ` Andrew Morton
2005-09-15 19:36 ` Andrew Morton
2006-01-14 17:39 ` 2.6.13-mm3 Matthias Urlichs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6bffcb0e05091214133c189d05@mail.gmail.com \
--to=michal.k.k.piotrowski@gmail.com \
--cc=akpm@osdl.org \
--cc=alexn@telia.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.