From owner-dev-commits-src-all@freebsd.org Tue Feb 16 05:15:40 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6299E528C23; Tue, 16 Feb 2021 05:15:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dfq1S2Hnpz4lWV; Tue, 16 Feb 2021 05:15:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4196C2D3C; Tue, 16 Feb 2021 05:15:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11G5Feax061428; Tue, 16 Feb 2021 05:15:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11G5FeSN061427; Tue, 16 Feb 2021 05:15:40 GMT (envelope-from git) Date: Tue, 16 Feb 2021 05:15:40 GMT Message-Id: <202102160515.11G5FeSN061427@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: c61fae1475f1 - main - pgcache read: protect against reads past end of the vm object size MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c61fae1475f1864dc4bba667b642f279afd44855 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2021 05:15:40 -0000 The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=c61fae1475f1864dc4bba667b642f279afd44855 commit c61fae1475f1864dc4bba667b642f279afd44855 Author: Konstantin Belousov AuthorDate: 2021-02-15 03:34:06 +0000 Commit: Konstantin Belousov CommitDate: 2021-02-16 05:09:37 +0000 pgcache read: protect against reads past end of the vm object size If uio_offset is past end of the object size, calculated resid is negative. Delegate handling this case to the locked read, as any other non-trivial situation. PR: 253158 Reported by: Harald Schmalzbauer Tested by: cy Sponsored by: The FreeBSD Foundation MFC after: 1 week --- sys/kern/vfs_vnops.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index f8943b3c07e7..71dd379558cb 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -950,6 +950,10 @@ vn_read_from_obj(struct vnode *vp, struct uio *uio) #else vsz = atomic_load_64(&obj->un_pager.vnp.vnp_size); #endif + if (uio->uio_offset >= vsz) { + error = EJUSTRETURN; + goto out; + } if (uio->uio_offset + resid > vsz) resid = vsz - uio->uio_offset;