Module Name: src Committed By: riastradh Date: Wed Jul 6 01:13:30 UTC 2022
Modified Files: src/sys/uvm: uvm_device.c Log Message: mmap(2): Prohibit overflowing offsets for non-D_NEGOFFSAFE devices. Reported-by: syzbot+d5a96e7a0ebbd0b76...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.74 -r1.75 src/sys/uvm/uvm_device.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/uvm/uvm_device.c diff -u src/sys/uvm/uvm_device.c:1.74 src/sys/uvm/uvm_device.c:1.75 --- src/sys/uvm/uvm_device.c:1.74 Wed Jul 6 01:12:46 2022 +++ src/sys/uvm/uvm_device.c Wed Jul 6 01:13:30 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_device.c,v 1.74 2022/07/06 01:12:46 riastradh Exp $ */ +/* $NetBSD: uvm_device.c,v 1.75 2022/07/06 01:13:30 riastradh Exp $ */ /* * Copyright (c) 1997 Charles D. Cranor and Washington University. @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: uvm_device.c,v 1.74 2022/07/06 01:12:46 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uvm_device.c,v 1.75 2022/07/06 01:13:30 riastradh Exp $"); #include "opt_uvmhist.h" @@ -133,12 +133,17 @@ udv_attach(dev_t device, vm_prot_t acces } /* - * Negative offsets on the object are not allowed. + * Negative offsets on the object are not allowed, unless the + * device has affirmatively set D_NEGOFFSAFE. */ - - if ((cdev->d_flag & D_NEGOFFSAFE) == 0 && - off != UVM_UNKNOWN_OFFSET && off < 0) - return(NULL); + if ((cdev->d_flag & D_NEGOFFSAFE) == 0 && off != UVM_UNKNOWN_OFFSET) { + if (off < 0) + return NULL; + if (size > __type_max(voff_t)) + return NULL; + if (off > __type_max(voff_t) - size) + return NULL; + } /* * Check that the specified range of the device allows the