CVE-2005-0529

An attacker with local access can open `/proc/locks`, use `_llseek` to set a crafted negative offset (e.g., `0x80004242`), then call `read()` with a large positive count (e.g., `0x80004242`). The signed comparison in `proc_file_read` treats the negative offset as a large positive value after truncation, causing `locks_read_proc` to write beyond the allocated heap buffer [ref_id=1][ref_id=2]. The advisory's PoC demonstrates this by creating many flocked files to exhaust file descriptors and then performing the seek/read sequence.

The vulnerability involves `fs/proc/generic.c:63` in `proc_file_read()` where a signed cast `min_t(ssize_t, ...)` is used, and `locks_read_proc()` in the proc_misc code which uses `off_t off` (a signed long on i386) while the VFS layer uses `loff_t` (long long). The mismatch allows an attacker to supply negative offset and count values that sum to a positive value, triggering a heap-based buffer overflow [ref_id=1][ref_id=2].

The fix, available in Linux 2.6.11-rc4, addresses the signed type mismatch by adding checks at the VFS layer and in `copy_from_user` to prevent negative values from being interpreted as large positive sizes [ref_id=1][ref_id=2]. The individual patches (referenced via BitKeeper changesets) correct the type usage so that `off_t` and `ssize_t` are handled consistently, preventing the signed-to-unsigned conversion that allowed the heap overflow.

The advisory includes a complete PoC program that opens `/proc/locks`, calls `_llseek(fd,42,0x80004242,&lr,SEEK_SET)`, then `read(fd,he2,0x80004242)`. It also creates many flocked files via forked processes to exhaust file descriptors before the exploit [ref_id=1][ref_id=2].