The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1101d628223d2188c244a4df9b0cb4eaff57e968
commit 1101d628223d2188c244a4df9b0cb4eaff57e968
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-04-07 14:03:50 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-04-07 14:03:50 +0000
copy_file_range: Fix overlap checking
The check for range overlap did not correctly handle negative offests,
as the addition inoff + len is promoted to an unsigned type.
Reported by: syzkaller
Reviewed by: rmacklem
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49674
---
sys/kern/vfs_syscalls.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 1a3400a87eeb..7b71ffc76892 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -5075,6 +5075,15 @@ kern_copy_file_range(struct thread *td, int infd, off_t
*inoffp, int outfd,
if (len == 0)
goto out;
+ /*
+ * Make sure that the ranges we check and lock below are valid. Note
+ * that len is clamped to SSIZE_MAX above.
+ */
+ if (inoff < 0 || outoff < 0) {
+ error = EINVAL;
+ goto out;
+ }
+
/*
* If infp and outfp refer to the same file, the byte ranges cannot
* overlap.
