From: Alexander Nyberg The error checking in read_page_owner is flawed wrt snprintf which could cause the 'size' argument to snprintf to become negative and if so overwrite beyond 'buf'. Again, I fail to see how mc causes this to happen, but this fixes it by proper error checking. Signed-off-by: Alexander Nyberg Signed-off-by: Andrew Morton --- fs/proc/proc_misc.c | 27 +++++++++++++++++++++++---- 1 files changed, 23 insertions(+), 4 deletions(-) diff -puN fs/proc/proc_misc.c~page-owner-tracking-leak-detector-oops-fix fs/proc/proc_misc.c --- 25/fs/proc/proc_misc.c~page-owner-tracking-leak-detector-oops-fix Mon Sep 12 16:14:53 2005 +++ 25-akpm/fs/proc/proc_misc.c Mon Sep 12 16:14:53 2005 @@ -717,6 +717,7 @@ read_page_owner(struct file *file, char char namebuf[128]; unsigned long offset = 0, symsize; int i; + ssize_t num_written = 0; pfn = min_low_pfn + *ppos; page = pfn_to_page(pfn); @@ -738,22 +739,40 @@ read_page_owner(struct file *file, char if (!kbuf) return -ENOMEM; - ret = snprintf(kbuf, 1024, "Page allocated via order %d, mask 0x%x\n", + ret = snprintf(kbuf, count, "Page allocated via order %d, mask 0x%x\n", page->order, page->gfp_mask); + if (ret >= count) { + ret = -ENOMEM; + goto out; + } + + num_written = ret; for (i = 0; i < 8; i++) { if (!page->trace[i]) break; symname = kallsyms_lookup(page->trace[i], &symsize, &offset, &modname, namebuf); - ret += snprintf(kbuf + ret, count - ret, "[0x%lx] %s+%lu\n", + ret = snprintf(kbuf + num_written, count - num_written, "[0x%lx] %s+%lu\n", page->trace[i], namebuf, offset); + if (ret >= count - num_written) { + ret = -ENOMEM; + goto out; + } + num_written += ret; } - ret += snprintf(kbuf + ret, count -ret, "\n"); + ret = snprintf(kbuf + num_written, count - num_written, "\n"); + if (ret >= count - num_written) { + ret = -ENOMEM; + goto out; + } + + num_written += ret; + ret = num_written; if (copy_to_user(buf, kbuf, ret)) ret = -EFAULT; - +out: kfree(kbuf); return ret; } _