Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/kern vfs(9): Avoid arithmetic overflow in lf_advlock.
details: https://anonhg.NetBSD.org/src/rev/1edc5c7e7d4f
branches: trunk
changeset: 368235:1edc5c7e7d4f
user: riastradh <riastradh%NetBSD.org@localhost>
date: Fri Jul 01 01:04:01 2022 +0000
description:
vfs(9): Avoid arithmetic overflow in lf_advlock.
syzbot+897abbbe59467cbf6e98%syzkaller.appspotmail.com@localhost
diffstat:
sys/kern/vfs_lockf.c | 16 ++++++++++++----
1 files changed, 12 insertions(+), 4 deletions(-)
diffs (53 lines):
diff -r 104bd9eb8826 -r 1edc5c7e7d4f sys/kern/vfs_lockf.c
--- a/sys/kern/vfs_lockf.c Thu Jun 30 19:06:35 2022 +0000
+++ b/sys/kern/vfs_lockf.c Fri Jul 01 01:04:01 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_lockf.c,v 1.75 2022/04/16 18:15:22 andvar Exp $ */
+/* $NetBSD: vfs_lockf.c,v 1.76 2022/07/01 01:04:01 riastradh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.75 2022/04/16 18:15:22 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.76 2022/07/01 01:04:01 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -815,6 +815,8 @@
off_t start, end;
int error = 0;
+ KASSERTMSG(size >= 0, "size=%jd", (intmax_t)size);
+
/*
* Convert the flock structure into a start and end.
*/
@@ -829,6 +831,8 @@
break;
case SEEK_END:
+ if (fl->l_start > __type_max(off_t) - size)
+ return EINVAL;
start = size + fl->l_start;
break;
@@ -839,10 +843,14 @@
if (fl->l_len == 0)
end = -1;
else {
- if (fl->l_len > 0)
+ if (fl->l_len >= 0) {
+ if (fl->l_len - 1 > __type_max(off_t) - start)
+ return EINVAL;
end = start + fl->l_len - 1;
- else {
+ } else {
/* lockf() allows -ve lengths */
+ if (start < 0)
+ return EINVAL;
end = start - 1;
start += fl->l_len;
}
Home |
Main Index |
Thread Index |
Old Index