Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/ufs/ufs Reading a directory may trigger a panic when the...
details: https://anonhg.NetBSD.org/src/rev/53cf676954c2
branches: trunk
changeset: 839532:53cf676954c2
user: mlelstv <mlelstv%NetBSD.org@localhost>
date: Sun Feb 24 19:06:40 2019 +0000
description:
Reading a directory may trigger a panic when the buffer is too small.
Adjust necessary checks.
While here, also check for arithmetic overflow.
Reported-by: syzbot+88ecace8bff24169058f%syzkaller.appspotmail.com@localhost
diffstat:
sys/ufs/ufs/ufs_vnops.c | 25 +++++++++++++++++--------
1 files changed, 17 insertions(+), 8 deletions(-)
diffs (53 lines):
diff -r 8d158aeba142 -r 53cf676954c2 sys/ufs/ufs/ufs_vnops.c
--- a/sys/ufs/ufs/ufs_vnops.c Sun Feb 24 18:56:37 2019 +0000
+++ b/sys/ufs/ufs/ufs_vnops.c Sun Feb 24 19:06:40 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ufs_vnops.c,v 1.242 2019/01/01 10:06:55 hannken Exp $ */
+/* $NetBSD: ufs_vnops.c,v 1.243 2019/02/24 19:06:40 mlelstv Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.242 2019/01/01 10:06:55 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.243 2019/02/24 19:06:40 mlelstv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_ffs.h"
@@ -1268,19 +1268,28 @@
}
/* round start and end down to block boundaries */
- physstart = startoffset & ~(off_t)(ump->um_dirblksiz - 1);
- physend = endoffset & ~(off_t)(ump->um_dirblksiz - 1);
+ physstart = rounddown2(startoffset, ump->um_dirblksiz);
+ physend = rounddown2(endoffset, ump->um_dirblksiz);
+
+ if (physstart >= physend) {
+ /* Need at least one block */
+ return EINVAL;
+ }
+
skipstart = startoffset - physstart;
dropend = endoffset - physend;
- if (callerbytes - dropend < _DIRENT_MINSIZE(rawdp)) {
+ /* how much to actually read */
+ rawbufmax = callerbytes + skipstart;
+ if (rawbufmax < callerbytes)
+ return EINVAL;
+ rawbuf -= dropend;
+
+ if (rawbufmax < _DIRENT_MINSIZE(rawdp)) {
/* no room for even one struct direct */
return EINVAL;
}
- /* how much to actually read */
- rawbufmax = callerbytes + skipstart - dropend;
-
/* read it */
rawbuf = kmem_alloc(rawbufmax, KM_SLEEP);
rawiov.iov_base = rawbuf;
Home |
Main Index |
Thread Index |
Old Index