Module Name: src Committed By: nia Date: Fri Dec 25 10:00:40 UTC 2020
Modified Files: src/sys/ufs/ufs: ufs_quota1.c Log Message: Avoid potentially accessing an array with an index out of range. Reported-by: syzbot+8832f540234b996bc...@syzkaller.appspotmail.com Reported-by: syzbot+0b785dd10d987350e...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/ufs/ufs/ufs_quota1.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/ufs/ufs/ufs_quota1.c diff -u src/sys/ufs/ufs/ufs_quota1.c:1.22 src/sys/ufs/ufs/ufs_quota1.c:1.23 --- src/sys/ufs/ufs/ufs_quota1.c:1.22 Mon Jun 20 00:52:04 2016 +++ src/sys/ufs/ufs/ufs_quota1.c Fri Dec 25 10:00:40 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: ufs_quota1.c,v 1.22 2016/06/20 00:52:04 dholland Exp $ */ +/* $NetBSD: ufs_quota1.c,v 1.23 2020/12/25 10:00:40 nia Exp $ */ /* * Copyright (c) 1982, 1986, 1990, 1993, 1995 @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ufs_quota1.c,v 1.22 2016/06/20 00:52:04 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ufs_quota1.c,v 1.23 2020/12/25 10:00:40 nia Exp $"); #include <sys/param.h> #include <sys/kernel.h> @@ -311,6 +311,9 @@ quota1_handle_cmd_quotaon(struct lwp *l, struct pathbuf *pb; struct nameidata nd; + if (type < 0 || type >= MAXQUOTAS) + return EINVAL; + if (ump->um_flags & UFS_QUOTA2) { uprintf("%s: quotas v2 already enabled\n", mp->mnt_stat.f_mntonname); @@ -421,6 +424,9 @@ quota1_handle_cmd_quotaoff(struct lwp *l kauth_cred_t cred; int i, error; + if (type < 0 || type >= MAXQUOTAS) + return EINVAL; + mutex_enter(&dqlock); while ((ump->umq1_qflags[type] & (QTF_CLOSING | QTF_OPENING)) != 0) cv_wait(&dqcv, &dqlock);