make sure uio_offset is a safe value, with suggestions from millert@

ok deraadt@ millert@
problem noticed by deprotect.com

7 files changed, 24 insertions, 27 deletions

diff --git a/sys/miscfs/procfs/procfs_cmdline.c b/sys/miscfs/procfs/procfs_cmdline.c
index b4f3de9858c..c23a733045e 100644
--- a/sys/miscfs/procfs/procfs_cmdline.c
+++ b/sys/miscfs/procfs/procfs_cmdline.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_cmdline.c,v 1.3 2001/11/06 19:53:20 miod Exp $	*/
+/*	$OpenBSD: procfs_cmdline.c,v 1.4 2004/05/05 23:52:09 tedu Exp $	*/
 /*	$NetBSD: procfs_cmdline.c,v 1.3 1999/03/13 22:26:48 thorpej Exp $	*/
 
 /*
@@ -83,11 +83,10 @@ procfs_docmdline(curp, p, pfs, uio)
 	 */
 	if (P_ZOMBIE(p) || (p->p_flag & P_SYSTEM) != 0) {
                 len = snprintf(arg, PAGE_SIZE, "(%s)", p->p_comm);
-                xlen = len - uio->uio_offset;
-                if (xlen <= 0) 
+                if (uio->uio_offset >= (off_t)len)
                         error = 0;
                 else
-                        error = uiomove(arg, xlen, uio);
+                        error = uiomove(arg, len - uio->uio_offset, uio);
 		
                 free(arg, M_TEMP);
                 return (error);	
diff --git a/sys/miscfs/procfs/procfs_fpregs.c b/sys/miscfs/procfs/procfs_fpregs.c
index 7be66cef4f4..a4f91348007 100644
--- a/sys/miscfs/procfs/procfs_fpregs.c
+++ b/sys/miscfs/procfs/procfs_fpregs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_fpregs.c,v 1.6 2003/06/02 23:28:11 millert Exp $	*/
+/*	$OpenBSD: procfs_fpregs.c,v 1.7 2004/05/05 23:52:10 tedu Exp $	*/
 /*	$NetBSD: procfs_fpregs.c,v 1.4 1995/08/13 09:06:05 mycroft Exp $	*/
 
 /*
@@ -63,7 +63,7 @@ procfs_dofpregs(curp, p, pfs, uio)
 		return (error);
 
 	kl = sizeof(r);
-	kv = (char *) &r;
+	kv = (char *)&r;
 
 	kv += uio->uio_offset;
 	kl -= uio->uio_offset;
@@ -72,7 +72,7 @@ procfs_dofpregs(curp, p, pfs, uio)
 
 	PHOLD(p);
 
-	if (kl < 0)
+	if (uio->uio_offset > (off_t)sizeof(r))
 		error = EINVAL;
 	else
 		error = process_read_fpregs(p, &r);
diff --git a/sys/miscfs/procfs/procfs_linux.c b/sys/miscfs/procfs/procfs_linux.c
index fe3072d3ac4..356a173d8aa 100644
--- a/sys/miscfs/procfs/procfs_linux.c
+++ b/sys/miscfs/procfs/procfs_linux.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_linux.c,v 1.4 2001/11/06 19:53:20 miod Exp $	*/
+/*	$OpenBSD: procfs_linux.c,v 1.5 2004/05/05 23:52:10 tedu Exp $	*/
 /*      $NetBSD: procfs_linux.c,v 1.2.4.1 2001/03/30 21:48:11 he Exp $      */
 
 /*
@@ -89,16 +89,13 @@ procfs_domeminfo(struct proc *curp, struct proc *p, struct pfsnode *pfs,
 		PGTOKB(uvmexp.swpages),
 		PGTOKB(uvmexp.swpages - uvmexp.swpginuse));
 
-	if (len == 0)
+	if (len == 0 || len <= uio->uio_offset || uio->uio_resid == 0)
 		return 0;
 
 	len -= uio->uio_offset;
 	cp = buf + uio->uio_offset;
 	len = imin(len, uio->uio_resid);
-	if (len <= 0)
-		error = 0;
-	else
-		error = uiomove(cp, len, uio);
+	error = uiomove(cp, len, uio);
 	return error;
 }
 
@@ -113,7 +110,7 @@ procfs_docpuinfo(struct proc *curp, struct proc *p, struct pfsnode *pfs,
 	if (procfs_getcpuinfstr(buf, &len) < 0)
 		return EIO;
 
-	if (len == 0)
+	if (len == 0 || uio->uio_offset > sizeof(buf))
 		return 0;
 
 	len -= uio->uio_offset;
diff --git a/sys/miscfs/procfs/procfs_mem.c b/sys/miscfs/procfs/procfs_mem.c
index b4a1f798fbb..0e6cd9bede8 100644
--- a/sys/miscfs/procfs/procfs_mem.c
+++ b/sys/miscfs/procfs/procfs_mem.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_mem.c,v 1.20 2003/08/15 20:32:19 tedu Exp $	*/
+/*	$OpenBSD: procfs_mem.c,v 1.21 2004/05/05 23:52:10 tedu Exp $	*/
 /*	$NetBSD: procfs_mem.c,v 1.8 1996/02/09 22:40:50 christos Exp $	*/
 
 /*
@@ -121,4 +121,3 @@ procfs_checkioperm(p, t)
 
 	return (0);
 }
-
diff --git a/sys/miscfs/procfs/procfs_regs.c b/sys/miscfs/procfs/procfs_regs.c
index d2495a2a248..5fe351ca511 100644
--- a/sys/miscfs/procfs/procfs_regs.c
+++ b/sys/miscfs/procfs/procfs_regs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_regs.c,v 1.7 2003/06/02 23:28:11 millert Exp $	*/
+/*	$OpenBSD: procfs_regs.c,v 1.8 2004/05/05 23:52:10 tedu Exp $	*/
 /*	$NetBSD: procfs_regs.c,v 1.9 1995/08/13 09:06:07 mycroft Exp $	*/
 
 /*
@@ -62,7 +62,7 @@ procfs_doregs(curp, p, pfs, uio)
 		return (error);
 
 	kl = sizeof(r);
-	kv = (char *) &r;
+	kv = (char *)&r;
 
 	kv += uio->uio_offset;
 	kl -= uio->uio_offset;
@@ -71,7 +71,7 @@ procfs_doregs(curp, p, pfs, uio)
 
 	PHOLD(p);
 
-	if (kl < 0)
+	if (uio->uio_offset > (off_t)sizeof(r))
 		error = EINVAL;
 	else
 		error = process_read_regs(p, &r);
diff --git a/sys/miscfs/procfs/procfs_status.c b/sys/miscfs/procfs/procfs_status.c
index 5fb379cd861..0d1a117ffc0 100644
--- a/sys/miscfs/procfs/procfs_status.c
+++ b/sys/miscfs/procfs/procfs_status.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_status.c,v 1.7 2004/03/03 06:28:12 tedu Exp $	*/
+/*	$OpenBSD: procfs_status.c,v 1.8 2004/05/05 23:52:10 tedu Exp $	*/
 /*	$NetBSD: procfs_status.c,v 1.11 1996/03/16 23:52:50 christos Exp $	*/
 
 /*
@@ -165,16 +165,16 @@ procfs_dostatus(curp, p, pfs, uio)
 
 	len = procfs_stat_gen(p, NULL, 0);
 	ps = malloc(len, M_TEMP, M_WAITOK);
-	(void) procfs_stat_gen(p, ps, len);
+	len = procfs_stat_gen(p, ps, len);
 
-	len -= uio->uio_offset;
-	len = imin(len, uio->uio_resid);
-	if (len <= 0)
+	if (len <= uio->uio_offset)
 		error = 0;
-	else
+	else {
+		len -= uio->uio_offset;
+		len = imin(len, uio->uio_resid);
 		error = uiomove(ps + uio->uio_offset, len, uio);
+	}
 
 	free(ps, M_TEMP);
 	return (error);
 }
-
diff --git a/sys/miscfs/procfs/procfs_subr.c b/sys/miscfs/procfs/procfs_subr.c
index 38723b253b4..a7f9ff5f06f 100644
--- a/sys/miscfs/procfs/procfs_subr.c
+++ b/sys/miscfs/procfs/procfs_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: procfs_subr.c,v 1.20 2003/08/11 10:08:04 mickey Exp $	*/
+/*	$OpenBSD: procfs_subr.c,v 1.21 2004/05/05 23:52:10 tedu Exp $	*/
 /*	$NetBSD: procfs_subr.c,v 1.15 1996/02/12 15:01:42 christos Exp $	*/
 
 /*
@@ -214,6 +214,8 @@ procfs_rw(v)
 	/* Do not permit games to be played with init(8) */
 	if (p->p_pid == 1 && securelevel > 0 && uio->uio_rw == UIO_WRITE)
 		return (EPERM);
+	if (uio->uio_offset < 0)
+		return (EINVAL);
 
 	switch (pfs->pfs_type) {
 	case Pnote: