firefox & flash9 patches

[Chagin Dmitry]

On Tue, Sep 30, 2008 at 12:02:37AM +0400, Chagin Dmitry wrote:
> 
> Hi,
> 
> please, test following patches (just -current).
> with them firefox && flash9 forks for me,
> I tested only on ia32 at amd64 with 2.6.16 enabled,
> firefox 2.0.0.16 and flash9 plugin.
> 

Has added args->len checkup, glibc waits EINVAL...
also has modified sched_setaffinity, as by default, glibc uses
128 bytes buffer for cpumask_t, so, we always fail here.
thnx!

diff --git a/src/sys/compat/linux/linux_misc.c b/src/sys/compat/linux/linux_misc.c
index 585c853..7f75713 100644
--- a/src/sys/compat/linux/linux_misc.c
+++ b/src/sys/compat/linux/linux_misc.c
@@ -1831,11 +1831,14 @@ linux_sched_getaffinity(struct thread *td,
 	cga.level = CPU_LEVEL_WHICH;
 	cga.which = CPU_WHICH_PID;
 	cga.id = args->pid;
-	cga.cpusetsize = sizeof(cpumask_t);
+	cga.cpusetsize = sizeof(cpuset_t);
 	cga.mask = (cpuset_t *) args->user_mask_ptr;
-	
+
+	if (cga.cpusetsize > args->len)
+		return (EINVAL);
+
 	if ((error = cpuset_getaffinity(td, &cga)) == 0)
-		td->td_retval[0] = sizeof(cpumask_t);
+		td->td_retval[0] = sizeof(cpuset_t);
 
 	return (error);
 }
@@ -1854,10 +1857,13 @@ linux_sched_setaffinity(struct thread *td,
 		printf(ARGS(sched_setaffinity, "%d, %d, *"), args->pid,
 		    args->len);
 #endif
+	if (args->len < sizeof(cpuset_t))
+		return (EINVAL);
+
 	csa.level = CPU_LEVEL_WHICH;
 	csa.which = CPU_WHICH_PID;
 	csa.id = args->pid;
-	csa.cpusetsize = args->len;
+	csa.cpusetsize = sizeof(cpuset_t);
 	csa.mask = (cpuset_t *) args->user_mask_ptr;
 
 	return (cpuset_setaffinity(td, &csa));
diff --git a/src/sys/compat/linprocfs/linprocfs.c b/src/sys/compat/linprocfs/linprocfs.c
index dd4bf77..715146a 100644
--- a/src/sys/compat/linprocfs/linprocfs.c
+++ b/src/sys/compat/linprocfs/linprocfs.c
@@ -872,14 +872,12 @@ linprocfs_doprocenviron(PFS_FILL_ARGS)
 static int
 linprocfs_doprocmaps(PFS_FILL_ARGS)
 {
-	char mebuffer[512];
 	vm_map_t map = &p->p_vmspace->vm_map;
 	vm_map_entry_t entry, tmp_entry;
 	vm_object_t obj, tobj, lobj;
 	vm_offset_t saved_end;
 	vm_ooffset_t off = 0;
 	char *name = "", *freename = NULL;
-	size_t len;
 	ino_t ino;
 	unsigned int last_timestamp;
 	int ref_count, shadow_count, flags;
@@ -897,13 +895,9 @@ linprocfs_doprocmaps(PFS_FILL_ARGS)
 	if (uio->uio_rw != UIO_READ)
 		return (EOPNOTSUPP);
 
-	if (uio->uio_offset != 0)
-		return (0);
-
 	error = 0;
 	vm_map_lock_read(map);
-	for (entry = map->header.next;
-	    ((uio->uio_resid > 0) && (entry != &map->header));
+	for (entry = map->header.next; entry != &map->header;
 	    entry = entry->next) {
 		name = "";
 		freename = NULL;
@@ -952,7 +946,7 @@ linprocfs_doprocmaps(PFS_FILL_ARGS)
 		 * format:
 		 *  start, end, access, offset, major, minor, inode, name.
 		 */
-		snprintf(mebuffer, sizeof mebuffer,
+		error = sbuf_printf(sb,
 		    "%08lx-%08lx %s%s%s%s %08lx %02x:%02x %lu%s%s\n",
 		    (u_long)entry->start, (u_long)entry->end,
 		    (entry->protection & VM_PROT_READ)?"r":"-",
@@ -968,18 +962,11 @@ linprocfs_doprocmaps(PFS_FILL_ARGS)
 		    );
 		if (freename)
 			free(freename, M_TEMP);
-		len = strlen(mebuffer);
-		if (len > uio->uio_resid)
-			len = uio->uio_resid; /*
-					       * XXX We should probably return
-					       * EFBIG here, as in procfs.
-					       */
 		last_timestamp = map->timestamp;
 		vm_map_unlock_read(map);
-		error = uiomove(mebuffer, len, uio);
+		if (error == -1)
+			return (0);
 		vm_map_lock_read(map);
-		if (error)
-			break;
 		if (last_timestamp + 1 != map->timestamp) {
 			/*
 			 * Look again for the entry because the map was


-- 
Have fun!
chd