Date: Mon, 7 Apr 2025 14:11:15 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 1101d628223d - main - copy_file_range: Fix overlap checking Message-ID: <202504071411.537EBF5q092672@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1101d628223d2188c244a4df9b0cb4eaff57e968 commit 1101d628223d2188c244a4df9b0cb4eaff57e968 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-04-07 14:03:50 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-04-07 14:03:50 +0000 copy_file_range: Fix overlap checking The check for range overlap did not correctly handle negative offests, as the addition inoff + len is promoted to an unsigned type. Reported by: syzkaller Reviewed by: rmacklem MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D49674 --- sys/kern/vfs_syscalls.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 1a3400a87eeb..7b71ffc76892 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -5075,6 +5075,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd, if (len == 0) goto out; + /* + * Make sure that the ranges we check and lock below are valid. Note + * that len is clamped to SSIZE_MAX above. + */ + if (inoff < 0 || outoff < 0) { + error = EINVAL; + goto out; + } + /* * If infp and outfp refer to the same file, the byte ranges cannot * overlap.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202504071411.537EBF5q092672>