[src/trunk]: src/sys/ufs/ufs Reading a directory may trigger a panic when the...

[mlelstv <mlelstv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9703fdad1d04
branches:  trunk
changeset: 449161:9703fdad1d04
user:      mlelstv <mlelstv%NetBSD.org@localhost>
date:      Sun Feb 24 19:06:40 2019 +0000

description:
Reading a directory may trigger a panic when the buffer is too small.
Adjust necessary checks.

While here, also check for arithmetic overflow.

Reported-by: syzbot+88ecace8bff24169058f%syzkaller.appspotmail.com@localhost

diffstat:

 sys/ufs/ufs/ufs_vnops.c |  25 +++++++++++++++++--------
 1 files changed, 17 insertions(+), 8 deletions(-)

diffs (53 lines):

diff -r ca90f130e59e -r 9703fdad1d04 sys/ufs/ufs/ufs_vnops.c
--- a/sys/ufs/ufs/ufs_vnops.c   Sun Feb 24 18:56:37 2019 +0000
+++ b/sys/ufs/ufs/ufs_vnops.c   Sun Feb 24 19:06:40 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ufs_vnops.c,v 1.242 2019/01/01 10:06:55 hannken Exp $  */
+/*     $NetBSD: ufs_vnops.c,v 1.243 2019/02/24 19:06:40 mlelstv Exp $  */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.242 2019/01/01 10:06:55 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.243 2019/02/24 19:06:40 mlelstv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ffs.h"
@@ -1268,19 +1268,28 @@
        }
 
        /* round start and end down to block boundaries */
-       physstart = startoffset & ~(off_t)(ump->um_dirblksiz - 1);
-       physend = endoffset & ~(off_t)(ump->um_dirblksiz - 1);
+       physstart = rounddown2(startoffset, ump->um_dirblksiz);
+       physend = rounddown2(endoffset, ump->um_dirblksiz);
+
+       if (physstart >= physend) {
+               /* Need at least one block */
+               return EINVAL;
+       }
+
        skipstart = startoffset - physstart;
        dropend = endoffset - physend;
 
-       if (callerbytes - dropend < _DIRENT_MINSIZE(rawdp)) {
+       /* how much to actually read */
+       rawbufmax = callerbytes + skipstart;
+       if (rawbufmax < callerbytes)
+               return EINVAL;
+       rawbuf -= dropend;
+
+       if (rawbufmax < _DIRENT_MINSIZE(rawdp)) {
                /* no room for even one struct direct */
                return EINVAL;
        }
 
-       /* how much to actually read */
-       rawbufmax = callerbytes + skipstart - dropend;
-
        /* read it */
        rawbuf = kmem_alloc(rawbufmax, KM_SLEEP);
        rawiov.iov_base = rawbuf;