Module Name: src
Committed By: riastradh
Date: Sat Apr 29 08:13:27 UTC 2023
Modified Files:
src/sys/fs/tmpfs: tmpfs_subr.c
Log Message:
tmpfs: Refuse sizes that overflow round_page.
Reported-by: syzbot+8dbeee84de15f86df...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=4a27b9fe074f8d4b0afbe22969339b8dfdb157e8
To generate a diff of this commit:
cvs rdiff -u -r1.115 -r1.116 src/sys/fs/tmpfs/tmpfs_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/fs/tmpfs/tmpfs_subr.c
diff -u src/sys/fs/tmpfs/tmpfs_subr.c:1.115 src/sys/fs/tmpfs/tmpfs_subr.c:1.116
--- src/sys/fs/tmpfs/tmpfs_subr.c:1.115 Sat Apr 29 06:29:55 2023
+++ src/sys/fs/tmpfs/tmpfs_subr.c Sat Apr 29 08:13:27 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $ */
+/* $NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $ */
/*
* Copyright (c) 2005-2020 The NetBSD Foundation, Inc.
@@ -73,7 +73,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $");
#include <sys/param.h>
#include <sys/cprng.h>
@@ -907,6 +907,9 @@ tmpfs_reg_resize(struct vnode *vp, off_t
KASSERT(vp->v_type == VREG);
KASSERT(newsize >= 0);
+ if (newsize > __type_max(off_t) - PAGE_SIZE + 1)
+ return EFBIG;
+
oldsize = node->tn_size;
oldpages = round_page(oldsize) >> PAGE_SHIFT;
newpages = round_page(newsize) >> PAGE_SHIFT;
