Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/compat/common compat_30: Avoid what might be technically...



details:   https://anonhg.NetBSD.org/src/rev/2523490d903e
branches:  trunk
changeset: 363434:2523490d903e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sat Mar 12 15:54:23 2022 +0000

description:
compat_30: Avoid what might be technically undefined behaviour.

Not sure advancing a user pointer by one for the purpose of making an
equality test fail later on is actually likely to be a problem, but
let's just pacify the sanitizer.

Reported-by: syzbot+758b18164c5c444f4249%syzkaller.appspotmail.com@localhost

diffstat:

 sys/compat/common/vfs_syscalls_30.c |  10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diffs (48 lines):

diff -r 29980873d89b -r 2523490d903e sys/compat/common/vfs_syscalls_30.c
--- a/sys/compat/common/vfs_syscalls_30.c       Sat Mar 12 15:50:53 2022 +0000
+++ b/sys/compat/common/vfs_syscalls_30.c       Sat Mar 12 15:54:23 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_syscalls_30.c,v 1.43 2021/09/07 11:43:02 riastradh Exp $   */
+/*     $NetBSD: vfs_syscalls_30.c,v 1.44 2022/03/12 15:54:23 riastradh Exp $   */
 
 /*-
  * Copyright (c) 2005, 2008 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.43 2021/09/07 11:43:02 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.44 2022/03/12 15:54:23 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -219,6 +219,7 @@
        int buflen, error, eofflag;
        off_t *cookiebuf = NULL, *cookie;
        int ncookies;
+       bool any = false;
 
        /* fd_getvnode() will use the descriptor for us */
        if ((error = fd_getvnode(SCARG(uap, fd), &fp)) != 0)
@@ -285,7 +286,7 @@
                idb.d_reclen = _DIRENT_SIZE(&idb);
                if (reclen > len || resid < idb.d_reclen) {
                        /* entry too big for buffer, so just stop */
-                       outp++;
+                       any = true;
                        break;
                }
                /*
@@ -305,10 +306,11 @@
                /* advance output past NetBSD-3.0-shaped entry */
                outp += idb.d_reclen;
                resid -= idb.d_reclen;
+               any = true;
        }
 
        /* if we squished out the whole block, try again */
-       if (outp == SCARG(uap, buf)) {
+       if (any) {
                if (cookiebuf)
                        free(cookiebuf, M_TEMP);
                cookiebuf = NULL;



Home | Main Index | Thread Index | Old Index