upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

copy_file_range: Fix overlap checking

Browse source 
The check for range overlap did not correctly handle negative offests,
as the addition inoff + len is promoted to an unsigned type.

Reported by:	syzkaller
Reviewed by:	rmacklem
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D49674

(cherry picked from commit 1101d62822)
This commit is contained in:
Mark Johnston 2025-04-07 14:03:50 +00:00
parent 21ea2ef51c
commit fb405ecd9f
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sys/kern/vfs_syscalls.c
View file

@ -4997,6 +4997,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t *inoffp, int outfd,
if (len == 0)
goto out;
/*
* Make sure that the ranges we check and lock below are valid. Note
* that len is clamped to SSIZE_MAX above.
*/
if (inoff < 0 || outoff < 0) {
error = EINVAL;
goto out;
}
/*
* If infp and outfp refer to the same file, the byte ranges cannot
* overlap.