Index: miscfs/procfs/procfs_cmdline.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_cmdline.c,v retrieving revision 1.3 diff -u -r1.3 procfs_cmdline.c --- miscfs/procfs/procfs_cmdline.c 6 Nov 2001 19:53:20 -0000 1.3 +++ miscfs/procfs/procfs_cmdline.c 8 Jun 2004 21:43:47 -0000 @@ -83,11 +83,10 @@ */ if (P_ZOMBIE(p) || (p->p_flag & P_SYSTEM) != 0) { len = snprintf(arg, PAGE_SIZE, "(%s)", p->p_comm); - xlen = len - uio->uio_offset; - if (xlen <= 0) + if (uio->uio_offset >= (off_t)len) error = 0; else - error = uiomove(arg, xlen, uio); + error = uiomove(arg, len - uio->uio_offset, uio); free(arg, M_TEMP); return (error); Index: miscfs/procfs/procfs_fpregs.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_fpregs.c,v retrieving revision 1.5 diff -u -r1.5 procfs_fpregs.c --- miscfs/procfs/procfs_fpregs.c 9 Apr 2001 07:14:21 -0000 1.5 +++ miscfs/procfs/procfs_fpregs.c 8 Jun 2004 21:43:47 -0000 @@ -67,7 +67,7 @@ return (error); kl = sizeof(r); - kv = (char *) &r; + kv = (char *)&r; kv += uio->uio_offset; kl -= uio->uio_offset; @@ -76,7 +76,7 @@ PHOLD(p); - if (kl < 0) + if (uio->uio_offset > (off_t)sizeof(r)) error = EINVAL; else error = process_read_fpregs(p, &r); Index: miscfs/procfs/procfs_linux.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_linux.c,v retrieving revision 1.4 diff -u -r1.4 procfs_linux.c --- miscfs/procfs/procfs_linux.c 6 Nov 2001 19:53:20 -0000 1.4 +++ miscfs/procfs/procfs_linux.c 8 Jun 2004 21:43:47 -0000 @@ -89,16 +89,13 @@ PGTOKB(uvmexp.swpages), PGTOKB(uvmexp.swpages - uvmexp.swpginuse)); - if (len == 0) + if (len == 0 || len <= uio->uio_offset || uio->uio_resid == 0) return 0; len -= uio->uio_offset; cp = buf + uio->uio_offset; len = imin(len, uio->uio_resid); - if (len <= 0) - error = 0; - else - error = uiomove(cp, len, uio); + error = uiomove(cp, len, uio); return error; } @@ -113,7 +110,7 @@ if (procfs_getcpuinfstr(buf, &len) < 0) return EIO; - if (len == 0) + if (len == 0 || uio->uio_offset > sizeof(buf)) return 0; len -= uio->uio_offset; Index: miscfs/procfs/procfs_regs.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_regs.c,v retrieving revision 1.6 diff -u -r1.6 procfs_regs.c --- miscfs/procfs/procfs_regs.c 11 Mar 2002 15:39:27 -0000 1.6 +++ miscfs/procfs/procfs_regs.c 8 Jun 2004 21:43:47 -0000 @@ -66,7 +66,7 @@ return (error); kl = sizeof(r); - kv = (char *) &r; + kv = (char *)&r; kv += uio->uio_offset; kl -= uio->uio_offset; @@ -75,7 +75,7 @@ PHOLD(p); - if (kl < 0) + if (uio->uio_offset > (off_t)sizeof(r)) error = EINVAL; else error = process_read_regs(p, &r); Index: miscfs/procfs/procfs_status.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_status.c,v retrieving revision 1.5 diff -u -r1.5 procfs_status.c --- miscfs/procfs/procfs_status.c 16 May 2001 12:48:32 -0000 1.5 +++ miscfs/procfs/procfs_status.c 8 Jun 2004 21:43:47 -0000 @@ -168,16 +168,16 @@ len = procfs_stat_gen(p, NULL, 0); ps = malloc(len, M_TEMP, M_WAITOK); - (void) procfs_stat_gen(p, ps, len); + len = procfs_stat_gen(p, ps, len); - len -= uio->uio_offset; - len = imin(len, uio->uio_resid); - if (len <= 0) + if (len <= uio->uio_offset) error = 0; - else + else { + len -= uio->uio_offset; + len = imin(len, uio->uio_resid); error = uiomove(ps + uio->uio_offset, len, uio); + } free(ps, M_TEMP); return (error); } - Index: miscfs/procfs/procfs_subr.c =================================================================== RCS file: /u/open/cvs/src/sys/miscfs/procfs/procfs_subr.c,v retrieving revision 1.17 diff -u -r1.17 procfs_subr.c --- miscfs/procfs/procfs_subr.c 14 Mar 2002 00:42:25 -0000 1.17 +++ miscfs/procfs/procfs_subr.c 8 Jun 2004 21:43:47 -0000 @@ -217,6 +217,8 @@ /* Do not permit games to be played with init(8) */ if (p->p_pid == 1 && securelevel > 0 && uio->uio_rw == UIO_WRITE) return (EPERM); + if (uio->uio_offset < 0) + return (EINVAL); switch (pfs->pfs_type) { case Pnote: