git: fb405ecd9f52 - stable/14 - copy_file_range: Fix overlap checking
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 24 Apr 2025 13:21:17 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=fb405ecd9f5208ea8d6c5d1e7352963305aed04b
commit fb405ecd9f5208ea8d6c5d1e7352963305aed04b
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-04-07 14:03:50 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-04-24 13:20:52 +0000
copy_file_range: Fix overlap checking
The check for range overlap did not correctly handle negative offests,
as the addition inoff + len is promoted to an unsigned type.
Reported by: syzkaller
Reviewed by: rmacklem
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49674
(cherry picked from commit 1101d628223d2188c244a4df9b0cb4eaff57e968)
---
sys/kern/vfs_syscalls.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 9f8c960d054c..02908f76ef85 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -4997,6 +4997,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd,
if (len == 0)
goto out;
+ /*
+ * Make sure that the ranges we check and lock below are valid. Note
+ * that len is clamped to SSIZE_MAX above.
+ */
+ if (inoff < 0 || outoff < 0) {
+ error = EINVAL;
+ goto out;
+ }
+
/*
* If infp and outfp refer to the same file, the byte ranges cannot
* overlap.