From owner-svn-src-head@FreeBSD.ORG  Mon Jul  8 20:21:36 2013
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id CC6BF35F;
 Mon,  8 Jul 2013 20:21:36 +0000 (UTC) (envelope-from pfg@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id BE9261791;
 Mon,  8 Jul 2013 20:21:36 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r68KLaAg005031;
 Mon, 8 Jul 2013 20:21:36 GMT (envelope-from pfg@svn.freebsd.org)
Received: (from pfg@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r68KLanT005030;
 Mon, 8 Jul 2013 20:21:36 GMT (envelope-from pfg@svn.freebsd.org)
Message-Id: <201307082021.r68KLanT005030@svn.freebsd.org>
From: "Pedro F. Giffuni" <pfg@FreeBSD.org>
Date: Mon, 8 Jul 2013 20:21:36 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r253045 - head/sys/fs/ext2fs
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 20:21:36 -0000

Author: pfg
Date: Mon Jul  8 20:21:36 2013
New Revision: 253045
URL: http://svnweb.freebsd.org/changeset/base/253045

Log:
  Avoid a panic and return EINVAL instead.
  
  Merge from UFS r232692:
  syscall() fuzzing can trigger this panic.
  
  MFC after:	3 days

Modified:
  head/sys/fs/ext2fs/ext2_vnops.c

Modified: head/sys/fs/ext2fs/ext2_vnops.c
==============================================================================
--- head/sys/fs/ext2fs/ext2_vnops.c	Mon Jul  8 19:40:50 2013	(r253044)
+++ head/sys/fs/ext2fs/ext2_vnops.c	Mon Jul  8 20:21:36 2013	(r253045)
@@ -1598,11 +1598,11 @@ ext2_read(struct vop_read_args *ap)
 	} else if (vp->v_type != VREG && vp->v_type != VDIR)
 		panic("%s: type %d", "ext2_read", vp->v_type);
 #endif
+	if (uio->uio_resid < 0 || uio->uio_offset < 0)
+		return (EINVAL);
 	orig_resid = uio->uio_resid;
-	KASSERT(orig_resid >= 0, ("ext2_read: uio->uio_resid < 0"));
 	if (orig_resid == 0)
 		return (0);
-	KASSERT(uio->uio_offset >= 0, ("ext2_read: uio->uio_offset < 0"));
 	fs = ip->i_e2fs;
 	if (uio->uio_offset < ip->i_size &&
 	    uio->uio_offset >= fs->e2fs_maxfilesize)