On Tue, Aug 28, 2018 at 02:15:01AM +0300, Alexey Dobriyan wrote:
> ---
> fs/proc/base.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
Missing description and S-o-b. Further comments below..
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 33f444721965..668e465c86b3 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -3549,11 +3549,11 @@ static int proc_task_readdir(struct file *file,
> struct dir_context *ctx)
> for (task = first_tid(proc_pid(inode), tid, ctx->pos - 2, ns);
> task;
> task = next_tid(task), ctx->pos++) {
> - char name[10 + 1];
> - unsigned int len;
> + char name[10], *p = name + sizeof(name);
> +
Multiple issues:
- len should be 11, as was in the original code
(0xffffffff = 4294967295, 10 letters)
- while we're at it, let's use a constant for the '11' instead of
mysterious magic numbers
- 'p' is clearly overflowing the stack here
> tid = task_pid_nr_ns(task, ns);
> - len = snprintf(name, sizeof(name), "%u", tid);
> - if (!proc_fill_cache(file, ctx, name, len,
> + p = _print_integer_u32(p, tid);
> + if (!proc_fill_cache(file, ctx, p, name + sizeof(name) - p,
You're replacing snprintf() code __that did proper len checking__
with code that does not. That's not good.
I can't see how the fourth proc_fill_cache() parameter, ``name +
sizeof(name)'' safely ever replace the original 'len' parameter.
It's a pointer value .. (!)
Overall this looks like a broken patch submitted by mistake.
Thanks,
--
Darwish
http://darwish.chasingpointers.com
