copy_file_range: Fix overlap checking

The check for range overlap did not correctly handle negative offests, as the addition inoff + len is promoted to an unsigned type. Reported by: syzkaller Reviewed by: rmacklem MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D49674
2026-06-09 08:43:19 -04:00 · 2025-04-07 14:03:50 +00:00 · 2025-04-07 14:03:50 +00:00 · 1101d62822
commit 1101d62822
parent 49bc071f40
1 changed files with 9 additions and 0 deletions
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@ -5075,6 +5075,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd,
 	if (len == 0)
 		goto out;

+	/*
+	 * Make sure that the ranges we check and lock below are valid.  Note
+	 * that len is clamped to SSIZE_MAX above.
+	 */
+	if (inoff < 0 || outoff < 0) {
+		error = EINVAL;
+		goto out;
+	}
+
 	/*
 	 * If infp and outfp refer to the same file, the byte ranges cannot
 	 * overlap.