Module Name:    src
Committed By:   riastradh
Date:           Tue Oct  1 17:15:59 UTC 2024

Modified Files:
        src/sys/compat/linux/common: linux_file.c

Log Message:
linux_sys_copy_file_range: Avoid UB arithmetic overflow.

No functional change intended in the non-UB case.


To generate a diff of this commit:
cvs rdiff -u -r1.130 -r1.131 src/sys/compat/linux/common/linux_file.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_file.c
diff -u src/sys/compat/linux/common/linux_file.c:1.130 src/sys/compat/linux/common/linux_file.c:1.131
--- src/sys/compat/linux/common/linux_file.c:1.130	Tue Oct  1 17:11:39 2024
+++ src/sys/compat/linux/common/linux_file.c	Tue Oct  1 17:15:59 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_file.c,v 1.130 2024/10/01 17:11:39 riastradh Exp $	*/
+/*	$NetBSD: linux_file.c,v 1.131 2024/10/01 17:15:59 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1995, 1998, 2008 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_file.c,v 1.130 2024/10/01 17:11:39 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_file.c,v 1.131 2024/10/01 17:15:59 riastradh Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1069,7 +1069,7 @@ linux_sys_copy_file_range(lwp_t *l,
 		syscallarg(size_t) len;
 		syscallarg(unsigned int) flags;
 	} */
-
+	const off_t OFF_MAX = __type_max(off_t);
 	int fd_in, fd_out;
 	file_t *fp_in, *fp_out;
 	struct vnode *invp, *outvp;
@@ -1156,12 +1156,12 @@ linux_sys_copy_file_range(lwp_t *l,
 		have_off_out = true;
 	}
 
-	off_t new_size = off_out + len;
-	if (new_size < 0) {
+	if (off_out < 0 || len > OFF_MAX - off_out) {
 		DPRINTF("%s: New size is greater than OFF_MAX\n", __func__);
 		error = EFBIG;
 		goto out;
 	}
+	const off_t new_size = off_out + len;
 
 	/* Identify overlapping ranges */
 	if ((invp == outvp) &&

Reply via email to