Module Name: src
Committed By: riastradh
Date: Fri Nov 25 16:15:39 UTC 2022
Modified Files:
src/sys/kern: vfs_lockf.c
Log Message:
kern/vfs_lockf.c: Parenthesize to make arithmetic match check.
We verified start + (fl->fl_len - 1) would not overflow, but then
computed (start + fl->fl_len) - 1 instead, and it is possible for
start + fl->fl_len to overflow before we subtract 1.
Reported-by: syzbot+762480b00cb14085f...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=d69313b2460a12715315f9f5f74fbe44b8bc38ba
To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/kern/vfs_lockf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_lockf.c
diff -u src/sys/kern/vfs_lockf.c:1.77 src/sys/kern/vfs_lockf.c:1.78
--- src/sys/kern/vfs_lockf.c:1.77 Wed Aug 3 11:09:13 2022
+++ src/sys/kern/vfs_lockf.c Fri Nov 25 16:15:39 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $ */
+/* $NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -847,7 +847,7 @@ lf_advlock(struct vop_advlock_args *ap,
if (start >= 0 &&
fl->l_len - 1 > __type_max(off_t) - start)
return EINVAL;
- end = start + fl->l_len - 1;
+ end = start + (fl->l_len - 1);
} else {
/* lockf() allows -ve lengths */
if (start < 0)
