From b528a54a708c4cd2149c8e6884af2063c2b272cd Mon Sep 17 00:00:00 2001
From: dzwdz
Date: Sat, 17 Jun 2023 22:19:36 +0200
Subject: kernel: fix procfs overflow bug, add safeguard to prevent similar
 ones

---
 src/kernel/vfs/procfs.c  | 8 ++------
 src/kernel/vfs/request.c | 4 ++++
 2 files changed, 6 insertions(+), 6 deletions(-)

(limited to 'src/kernel/vfs')

diff --git a/src/kernel/vfs/procfs.c b/src/kernel/vfs/procfs.c
index 7669b78..fc17f1d 100644
--- a/src/kernel/vfs/procfs.c
+++ b/src/kernel/vfs/procfs.c
@@ -1,4 +1,5 @@
 #include <camellia/errno.h>
+#include <kernel/arch/amd64/driver/util.h> // portable despite the name
 #include <kernel/malloc.h>
 #include <kernel/panic.h>
 #include <kernel/proc.h>
@@ -119,10 +120,6 @@ procfs_accept(VfsReq *req)
 	if (req->type == VFSOP_READ && (h->type == PhDir || h->type == PhRoot)) {
 		// TODO port dirbuild to kernel
 		int pos = 0;
-		if (req->offset != 0) {
-			vfsreq_finish_short(req, -ENOSYS);
-			return;
-		}
 		if (h->type == PhDir) {
 			pos += snprintf(buf + pos, 512 - pos, "intr")+1;
 			pos += snprintf(buf + pos, 512 - pos, "mem")+1;
@@ -136,8 +133,7 @@ procfs_accept(VfsReq *req)
 			}
 		}
 		assert(0 <= pos && (size_t)pos <= sizeof buf);
-		pcpy_to(req->caller, req->output.buf, buf, pos);
-		vfsreq_finish_short(req, pos);
+		vfsreq_finish_short(req, req_readcopy(req, buf, pos));
 	} else if (req->type == VFSOP_READ && h->type == PhMem) {
 		if (p->pages == NULL || req->caller->pages == NULL) {
 			vfsreq_finish_short(req, 0);
diff --git a/src/kernel/vfs/request.c b/src/kernel/vfs/request.c
index 410e41e..5723201 100644
--- a/src/kernel/vfs/request.c
+++ b/src/kernel/vfs/request.c
@@ -73,6 +73,10 @@ void vfsreq_finish(VfsReq *req, char __user *stored, long ret,
 		}
 	}
 
+	if (req->type == VFSOP_READ && ret >= 0) {
+		assert((size_t)ret <= req->output.len);
+	}
+
 	if (req->input.kern)
 		kfree(req->input.buf_kern);
 
-- 
cgit v1.2.3