[src/trunk]: src/sys/kern posix_fadvise(2): Detect arithmetic overflow withou...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/97c04191fc59
branches:  trunk
changeset: 363913:97c04191fc59
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Tue Mar 15 10:37:42 2022 +0000

description:
posix_fadvise(2): Detect arithmetic overflow without UB.

Reported-by: syzbot+18f01abff11bd527c464%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/sys_descrip.c |  13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diffs (48 lines):

diff -r 5381114b5cb4 -r 97c04191fc59 sys/kern/sys_descrip.c
--- a/sys/kern/sys_descrip.c    Tue Mar 15 00:05:17 2022 +0000
+++ b/sys/kern/sys_descrip.c    Tue Mar 15 10:37:42 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sys_descrip.c,v 1.38 2021/09/11 10:09:13 riastradh Exp $       */
+/*     $NetBSD: sys_descrip.c,v 1.39 2022/03/15 10:37:42 riastradh Exp $       */
 
 /*-
  * Copyright (c) 2008, 2020 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_descrip.c,v 1.38 2021/09/11 10:09:13 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_descrip.c,v 1.39 2022/03/15 10:37:42 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -672,6 +672,7 @@
 int
 do_posix_fadvise(int fd, off_t offset, off_t len, int advice)
 {
+       const off_t OFF_MAX = __type_max(off_t);
        file_t *fp;
        vnode_t *vp;
        off_t endoffset;
@@ -685,8 +686,8 @@
                return EINVAL;
        }
        if (len == 0) {
-               endoffset = INT64_MAX;
-       } else if (len > 0 && (INT64_MAX - offset) >= len) {
+               endoffset = OFF_MAX;
+       } else if (len > 0 && (OFF_MAX - offset) >= len) {
                endoffset = offset + len;
        } else {
                return EINVAL;
@@ -743,8 +744,8 @@
                 * region.  It means that if the specified region is smaller
                 * than PAGE_SIZE, we do nothing.
                 */
-               if (round_page(offset) < trunc_page(endoffset) &&
-                   offset <= round_page(offset)) {
+               if (offset <= trunc_page(OFF_MAX) &&
+                   round_page(offset) < trunc_page(endoffset)) {
                        rw_enter(vp->v_uobj.vmobjlock, RW_WRITER);
                        error = VOP_PUTPAGES(vp,
                            round_page(offset), trunc_page(endoffset),