From owner-svn-src-head@FreeBSD.ORG  Thu Mar  8 12:49:09 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 59EEA1065672;
	Thu,  8 Mar 2012 12:49:09 +0000 (UTC) (envelope-from pho@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 34E628FC0C;
	Thu,  8 Mar 2012 12:49:09 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q28Cn9m4045650;
	Thu, 8 Mar 2012 12:49:09 GMT (envelope-from pho@svn.freebsd.org)
Received: (from pho@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q28Cn9ed045648;
	Thu, 8 Mar 2012 12:49:09 GMT (envelope-from pho@svn.freebsd.org)
Message-Id: <201203081249.q28Cn9ed045648@svn.freebsd.org>
From: Peter Holm <pho@FreeBSD.org>
Date: Thu, 8 Mar 2012 12:49:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r232692 - head/sys/ufs/ffs
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 12:49:09 -0000

Author: pho
Date: Thu Mar  8 12:49:08 2012
New Revision: 232692
URL: http://svn.freebsd.org/changeset/base/232692

Log:
  syscall() fuzzing can trigger this panic. Return EINVAL instead.
  
  MFC after:	1 week

Modified:
  head/sys/ufs/ffs/ffs_vnops.c

Modified: head/sys/ufs/ffs/ffs_vnops.c
==============================================================================
--- head/sys/ufs/ffs/ffs_vnops.c	Thu Mar  8 11:05:53 2012	(r232691)
+++ head/sys/ufs/ffs/ffs_vnops.c	Thu Mar  8 12:49:08 2012	(r232692)
@@ -464,11 +464,11 @@ ffs_read(ap)
 	} else if (vp->v_type != VREG && vp->v_type != VDIR)
 		panic("ffs_read: type %d",  vp->v_type);
 #endif
+	if (uio->uio_resid < 0 || uio->uio_offset < 0)
+		return (EINVAL);
 	orig_resid = uio->uio_resid;
-	KASSERT(orig_resid >= 0, ("ffs_read: uio->uio_resid < 0"));
 	if (orig_resid == 0)
 		return (0);
-	KASSERT(uio->uio_offset >= 0, ("ffs_read: uio->uio_offset < 0"));
 	fs = ip->i_fs;
 	if (uio->uio_offset < ip->i_size &&
 	    uio->uio_offset >= fs->fs_maxfilesize)