[src/trunk]: src/sys/kern kern/vfs_lockf.c: Parenthesize to make arithmetic m...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/8833b8ce8a04
branches:  trunk
changeset: 372431:8833b8ce8a04
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Nov 25 16:15:39 2022 +0000

description:
kern/vfs_lockf.c: Parenthesize to make arithmetic match check.

We verified start + (fl->fl_len - 1) would not overflow, but then
computed (start + fl->fl_len) - 1 instead, and it is possible for
start + fl->fl_len to overflow before we subtract 1.

Reported-by: syzbot+762480b00cb14085f63a%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=d69313b2460a12715315f9f5f74fbe44b8bc38ba

diffstat:

 sys/kern/vfs_lockf.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r 98e0fe9c7f20 -r 8833b8ce8a04 sys/kern/vfs_lockf.c
--- a/sys/kern/vfs_lockf.c      Fri Nov 25 16:12:32 2022 +0000
+++ b/sys/kern/vfs_lockf.c      Fri Nov 25 16:15:39 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $ */
+/*     $NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.77 2022/08/03 11:09:13 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_lockf.c,v 1.78 2022/11/25 16:15:39 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -847,7 +847,7 @@
                        if (start >= 0 &&
                            fl->l_len - 1 > __type_max(off_t) - start)
                                return EINVAL;
-                       end = start + fl->l_len - 1;
+                       end = start + (fl->l_len - 1);
                } else {
                        /* lockf() allows -ve lengths */
                        if (start < 0)