Module Name: src
Committed By: nia
Date: Fri Dec 25 10:00:40 UTC 2020
Modified Files:
src/sys/ufs/ufs: ufs_quota1.c
Log Message:
Avoid potentially accessing an array with an index out of range.
Reported-by: syzbot+8832f540234b996bc...@syzkaller.appspotmail.com
Reported-by: syzbot+0b785dd10d987350e...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/ufs/ufs/ufs_quota1.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/ufs/ufs/ufs_quota1.c
diff -u src/sys/ufs/ufs/ufs_quota1.c:1.22 src/sys/ufs/ufs/ufs_quota1.c:1.23
--- src/sys/ufs/ufs/ufs_quota1.c:1.22 Mon Jun 20 00:52:04 2016
+++ src/sys/ufs/ufs/ufs_quota1.c Fri Dec 25 10:00:40 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ufs_quota1.c,v 1.22 2016/06/20 00:52:04 dholland Exp $ */
+/* $NetBSD: ufs_quota1.c,v 1.23 2020/12/25 10:00:40 nia Exp $ */
/*
* Copyright (c) 1982, 1986, 1990, 1993, 1995
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_quota1.c,v 1.22 2016/06/20 00:52:04 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_quota1.c,v 1.23 2020/12/25 10:00:40 nia Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -311,6 +311,9 @@ quota1_handle_cmd_quotaon(struct lwp *l,
struct pathbuf *pb;
struct nameidata nd;
+ if (type < 0 || type >= MAXQUOTAS)
+ return EINVAL;
+
if (ump->um_flags & UFS_QUOTA2) {
uprintf("%s: quotas v2 already enabled\n",
mp->mnt_stat.f_mntonname);
@@ -421,6 +424,9 @@ quota1_handle_cmd_quotaoff(struct lwp *l
kauth_cred_t cred;
int i, error;
+ if (type < 0 || type >= MAXQUOTAS)
+ return EINVAL;
+
mutex_enter(&dqlock);
while ((ump->umq1_qflags[type] & (QTF_CLOSING | QTF_OPENING)) != 0)
cv_wait(&dqcv, &dqlock);
