netbsd-bugs: kern/1804: panics in ibcs2_sys

Subject: kern/1804: panics in ibcs2_sys_read
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Drochner <drochner@zelz19.zel.kfa-juelich.de>
List: netbsd-bugs
Date: 12/02/1995 15:57:35

>Number:         1804
>Category:       kern
>Synopsis:       panics in ibcs2_sys_read
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec  2 11:05:01 1995
>Last-Modified:
>Originator:     Matthias Drochner
>Organization:
	KFA Juelich
>Release:        1.1
>Environment:
	NetBSD-1.1 (and -current) with COMPAT_IBCS2
System: NetBSD zelz19 1.1 NetBSD 1.1 (MIST) #11: Fri Dec 1 19:15:50 MET 1995 root@zelz19:/usr/src/sys/arch/i386/compile/MIST i386


>Description:
	SysV binaries which read directories by "read" can cause a panic.
	This is ether the "ibcs2_read" panic in line 516 of ibcs2_misc.c
	or a bad dereference of the bdp pointer in the same block.
>How-To-Repeat:
	run such binaries...
>Fix:
	In lines 506/507, the addition / subtraction of "off" seems unnecessary.
	This worked for me:
*** 504,509 ****
                goto out;
        }
!       inp = buf + off;
!       buflen -= off;
        outp = SCARG(uap, buf);
        resid = SCARG(uap, nbytes);
--- 504,509 ----
                goto out;
        }
!       inp = buf /* + off */;
! /*    buflen -= off; */
        outp = SCARG(uap, buf);
        resid = SCARG(uap, nbytes);

	Otherwise, the code is pretty identical to ibcs2_sys_getdents.
>Audit-Trail:
>Unformatted: