Module Name: src Committed By: riastradh Date: Sat Mar 12 15:54:24 UTC 2022
Modified Files: src/sys/compat/common: vfs_syscalls_30.c Log Message: compat_30: Avoid what might be technically undefined behaviour. Not sure advancing a user pointer by one for the purpose of making an equality test fail later on is actually likely to be a problem, but let's just pacify the sanitizer. Reported-by: syzbot+758b18164c5c444f4...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/sys/compat/common/vfs_syscalls_30.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/common/vfs_syscalls_30.c diff -u src/sys/compat/common/vfs_syscalls_30.c:1.43 src/sys/compat/common/vfs_syscalls_30.c:1.44 --- src/sys/compat/common/vfs_syscalls_30.c:1.43 Tue Sep 7 11:43:02 2021 +++ src/sys/compat/common/vfs_syscalls_30.c Sat Mar 12 15:54:23 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_30.c,v 1.43 2021/09/07 11:43:02 riastradh Exp $ */ +/* $NetBSD: vfs_syscalls_30.c,v 1.44 2022/03/12 15:54:23 riastradh Exp $ */ /*- * Copyright (c) 2005, 2008 The NetBSD Foundation, Inc. @@ -29,7 +29,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.43 2021/09/07 11:43:02 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.44 2022/03/12 15:54:23 riastradh Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -219,6 +219,7 @@ compat_30_sys_getdents(struct lwp *l, int buflen, error, eofflag; off_t *cookiebuf = NULL, *cookie; int ncookies; + bool any = false; /* fd_getvnode() will use the descriptor for us */ if ((error = fd_getvnode(SCARG(uap, fd), &fp)) != 0) @@ -285,7 +286,7 @@ again: idb.d_reclen = _DIRENT_SIZE(&idb); if (reclen > len || resid < idb.d_reclen) { /* entry too big for buffer, so just stop */ - outp++; + any = true; break; } /* @@ -305,10 +306,11 @@ again: /* advance output past NetBSD-3.0-shaped entry */ outp += idb.d_reclen; resid -= idb.d_reclen; + any = true; } /* if we squished out the whole block, try again */ - if (outp == SCARG(uap, buf)) { + if (any) { if (cookiebuf) free(cookiebuf, M_TEMP); cookiebuf = NULL;