git: fb405ecd9f52 - stable/14 - copy_file_range: Fix overlap checking

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Thu, 24 Apr 2025 13:21:17 UTC
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=fb405ecd9f5208ea8d6c5d1e7352963305aed04b

commit fb405ecd9f5208ea8d6c5d1e7352963305aed04b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-04-07 14:03:50 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-04-24 13:20:52 +0000

    copy_file_range: Fix overlap checking
    
    The check for range overlap did not correctly handle negative offests,
    as the addition inoff + len is promoted to an unsigned type.
    
    Reported by:    syzkaller
    Reviewed by:    rmacklem
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D49674
    
    (cherry picked from commit 1101d628223d2188c244a4df9b0cb4eaff57e968)
---
 sys/kern/vfs_syscalls.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 9f8c960d054c..02908f76ef85 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -4997,6 +4997,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd,
 	if (len == 0)
 		goto out;
 
+	/*
+	 * Make sure that the ranges we check and lock below are valid.  Note
+	 * that len is clamped to SSIZE_MAX above.
+	 */
+	if (inoff < 0 || outoff < 0) {
+		error = EINVAL;
+		goto out;
+	}
+
 	/*
 	 * If infp and outfp refer to the same file, the byte ranges cannot
 	 * overlap.