git: fb405ecd9f52 - stable/14 - copy_file_range: Fix overlap checking
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 24 Apr 2025 13:21:17 UTC
The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=fb405ecd9f5208ea8d6c5d1e7352963305aed04b commit fb405ecd9f5208ea8d6c5d1e7352963305aed04b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-04-07 14:03:50 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-04-24 13:20:52 +0000 copy_file_range: Fix overlap checking The check for range overlap did not correctly handle negative offests, as the addition inoff + len is promoted to an unsigned type. Reported by: syzkaller Reviewed by: rmacklem MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D49674 (cherry picked from commit 1101d628223d2188c244a4df9b0cb4eaff57e968) --- sys/kern/vfs_syscalls.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 9f8c960d054c..02908f76ef85 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -4997,6 +4997,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd, if (len == 0) goto out; + /* + * Make sure that the ranges we check and lock below are valid. Note + * that len is clamped to SSIZE_MAX above. + */ + if (inoff < 0 || outoff < 0) { + error = EINVAL; + goto out; + } + /* * If infp and outfp refer to the same file, the byte ranges cannot * overlap.