Index: i386/i386/pmap.c =================================================================== RCS file: /home/ncvs/src/sys/i386/i386/pmap.c,v retrieving revision 1.250.2.6 retrieving revision 1.250.2.7 diff -u -r1.250.2.6 -r1.250.2.7 --- i386/i386/pmap.c 2000/09/30 02:49:32 1.250.2.6 +++ i386/i386/pmap.c 2000/11/07 18:32:15 1.250.2.7 @@ -2322,8 +2322,11 @@ return; } - if (psize + pindex > object->size) + if (psize + pindex > object->size) { + if (object->size < pindex) + return; psize = object->size - pindex; + } mpte = NULL; /* Index: miscfs/procfs/procfs_ctl.c =================================================================== RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_ctl.c,v retrieving revision 1.17.2.1 retrieving revision 1.17.2.2 diff -u -r1.17.2.1 -r1.17.2.2 --- miscfs/procfs/procfs_ctl.c 1999/08/29 16:26:51 1.17.2.1 +++ miscfs/procfs/procfs_ctl.c 2000/12/18 20:56:05 1.17.2.2 @@ -111,6 +111,19 @@ { int error; + /* Authorization check: rely on normal debugging protection, except + * allow processes to disecgage debugging on a process onto which + * they have previously attached, but no longer have permission to + * debug. + */ + if (op != PROCFS_CTL_DETACH) { + if (securelevel > 0 && p->p_pid == 1) + return (EPERM); + + if (!CHECKIO(curp, p) || !procfs_kmemaccess(curp)) + return (EPERM); + } + /* * Attach - attaches the target process for debugging * by the calling process. @@ -123,10 +136,6 @@ /* can't trace yourself! */ if (p->p_pid == curp->p_pid) return (EINVAL); - - /* can't trace init when securelevel > 0 */ - if (securelevel > 0 && p->p_pid == 1) - return (EPERM); /* * Go ahead and set the trace flag. Index: miscfs/procfs/procfs_status.c =================================================================== RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_status.c,v retrieving revision 1.12.2.3 retrieving revision 1.12.2.4 diff -u -r1.12.2.3 -r1.12.2.4 --- miscfs/procfs/procfs_status.c 1999/12/27 16:05:11 1.12.2.3 +++ miscfs/procfs/procfs_status.c 2000/11/29 10:15:00 1.12.2.4 @@ -53,6 +53,7 @@ #include #include +#define DOCHECK() do { if (ps >= psbuf+sizeof(psbuf)) goto bailout; } while (0) int procfs_dostatus(curp, p, pfs, uio) struct proc *curp; @@ -83,63 +84,82 @@ /* comm pid ppid pgid sid maj,min ctty,sldr start ut st wmsg euid ruid rgid,egid,groups[1 .. NGROUPS] */ + KASSERT(sizeof(psbuf) > MAXCOMLEN, + ("Too short buffer for new MAXCOMLEN")); + ps = psbuf; bcopy(p->p_comm, ps, MAXCOMLEN); ps[MAXCOMLEN] = '\0'; ps += strlen(ps); - ps += sprintf(ps, " %d %d %d %d ", pid, ppid, pgid, sid); + + DOCHECK(); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, + " %d %d %d %d ", pid, ppid, pgid, sid); + DOCHECK(); if ((p->p_flag&P_CONTROLT) && (tp = sess->s_ttyp)) - ps += sprintf(ps, "%d,%d ", major(tp->t_dev), minor(tp->t_dev)); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, + "%d,%d ", major(tp->t_dev), minor(tp->t_dev)); else - ps += sprintf(ps, "%d,%d ", -1, -1); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, + "%d,%d ", -1, -1); sep = ""; if (sess->s_ttyvp) { - ps += sprintf(ps, "%sctty", sep); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "%sctty", sep); sep = ","; + DOCHECK(); } if (SESS_LEADER(p)) { - ps += sprintf(ps, "%ssldr", sep); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "%ssldr", sep); sep = ","; + DOCHECK(); + } + if (*sep != ',') { + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "noflags"); + DOCHECK(); } - if (*sep != ',') - ps += sprintf(ps, "noflags"); if (p->p_flag & P_INMEM) - ps += sprintf(ps, " %ld,%ld", + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %ld,%ld", p->p_stats->p_start.tv_sec, p->p_stats->p_start.tv_usec); else - ps += sprintf(ps, " -1,-1"); + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " -1,-1"); { struct timeval ut, st; calcru(p, &ut, &st, (void *) 0); - ps += sprintf(ps, " %ld,%ld %ld,%ld", + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, + " %ld,%ld %ld,%ld", ut.tv_sec, ut.tv_usec, st.tv_sec, st.tv_usec); } - ps += sprintf(ps, " %s", + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %s", (p->p_wchan && p->p_wmesg) ? p->p_wmesg : "nochan"); cr = p->p_ucred; - ps += sprintf(ps, " %lu %lu %lu", + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %lu %lu %lu", (u_long)cr->cr_uid, (u_long)p->p_cred->p_ruid, (u_long)p->p_cred->p_rgid); + DOCHECK(); /* egid (p->p_cred->p_svgid) is equal to cr_ngroups[0] see also getegid(2) in /sys/kern/kern_prot.c */ - for (i = 0; i < cr->cr_ngroups; i++) - ps += sprintf(ps, ",%lu", (u_long)cr->cr_groups[i]); - ps += sprintf(ps, "\n"); + for (i = 0; i < cr->cr_ngroups; i++) { + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, + ",%lu", (u_long)cr->cr_groups[i]); + DOCHECK(); + } + ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "\n"); + DOCHECK(); xlen = ps - psbuf; xlen -= uio->uio_offset; @@ -151,6 +171,9 @@ error = uiomove(ps, xlen, uio); return (error); + +bailout: + return (ENOMEM); } int