Module Name: src
Committed By: riastradh
Date: Wed Jul 6 01:13:30 UTC 2022
Modified Files:
src/sys/uvm: uvm_device.c
Log Message:
mmap(2): Prohibit overflowing offsets for non-D_NEGOFFSAFE devices.
Reported-by: syzbot+d5a96e7a0ebbd0b76...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/sys/uvm/uvm_device.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/uvm/uvm_device.c
diff -u src/sys/uvm/uvm_device.c:1.74 src/sys/uvm/uvm_device.c:1.75
--- src/sys/uvm/uvm_device.c:1.74 Wed Jul 6 01:12:46 2022
+++ src/sys/uvm/uvm_device.c Wed Jul 6 01:13:30 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_device.c,v 1.74 2022/07/06 01:12:46 riastradh Exp $ */
+/* $NetBSD: uvm_device.c,v 1.75 2022/07/06 01:13:30 riastradh Exp $ */
/*
* Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_device.c,v 1.74 2022/07/06 01:12:46 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_device.c,v 1.75 2022/07/06 01:13:30 riastradh Exp $");
#include "opt_uvmhist.h"
@@ -133,12 +133,17 @@ udv_attach(dev_t device, vm_prot_t acces
}
/*
- * Negative offsets on the object are not allowed.
+ * Negative offsets on the object are not allowed, unless the
+ * device has affirmatively set D_NEGOFFSAFE.
*/
-
- if ((cdev->d_flag & D_NEGOFFSAFE) == 0 &&
- off != UVM_UNKNOWN_OFFSET && off < 0)
- return(NULL);
+ if ((cdev->d_flag & D_NEGOFFSAFE) == 0 && off != UVM_UNKNOWN_OFFSET) {
+ if (off < 0)
+ return NULL;
+ if (size > __type_max(voff_t))
+ return NULL;
+ if (off > __type_max(voff_t) - size)
+ return NULL;
+ }
/*
* Check that the specified range of the device allows the
