CVS commit: src/sys/kern

[Taylor R Campbell]

Module Name:    src
Committed By:   riastradh
Date:           Tue Mar 15 10:37:42 UTC 2022

Modified Files:
        src/sys/kern: sys_descrip.c

Log Message:
posix_fadvise(2): Detect arithmetic overflow without UB.

Reported-by: syzbot+18f01abff11bd527c...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/kern/sys_descrip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/sys_descrip.c
diff -u src/sys/kern/sys_descrip.c:1.38 src/sys/kern/sys_descrip.c:1.39
--- src/sys/kern/sys_descrip.c:1.38	Sat Sep 11 10:09:13 2021
+++ src/sys/kern/sys_descrip.c	Tue Mar 15 10:37:42 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_descrip.c,v 1.38 2021/09/11 10:09:13 riastradh Exp $	*/
+/*	$NetBSD: sys_descrip.c,v 1.39 2022/03/15 10:37:42 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2020 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_descrip.c,v 1.38 2021/09/11 10:09:13 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_descrip.c,v 1.39 2022/03/15 10:37:42 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -672,6 +672,7 @@ sys_flock(struct lwp *l, const struct sy
 int
 do_posix_fadvise(int fd, off_t offset, off_t len, int advice)
 {
+	const off_t OFF_MAX = __type_max(off_t);
 	file_t *fp;
 	vnode_t *vp;
 	off_t endoffset;
@@ -685,8 +686,8 @@ do_posix_fadvise(int fd, off_t offset, o
 		return EINVAL;
 	}
 	if (len == 0) {
-		endoffset = INT64_MAX;
-	} else if (len > 0 && (INT64_MAX - offset) >= len) {
+		endoffset = OFF_MAX;
+	} else if (len > 0 && (OFF_MAX - offset) >= len) {
 		endoffset = offset + len;
 	} else {
 		return EINVAL;
@@ -743,8 +744,8 @@ do_posix_fadvise(int fd, off_t offset, o
 		 * region.  It means that if the specified region is smaller
 		 * than PAGE_SIZE, we do nothing.
 		 */
-		if (round_page(offset) < trunc_page(endoffset) &&
-		    offset <= round_page(offset)) {
+		if (offset <= trunc_page(OFF_MAX) &&
+		    round_page(offset) < trunc_page(endoffset)) {
 			rw_enter(vp->v_uobj.vmobjlock, RW_WRITER);
 			error = VOP_PUTPAGES(vp,
 			    round_page(offset), trunc_page(endoffset),