Module Name: src Committed By: riastradh Date: Sat Apr 29 08:13:27 UTC 2023
Modified Files: src/sys/fs/tmpfs: tmpfs_subr.c Log Message: tmpfs: Refuse sizes that overflow round_page. Reported-by: syzbot+8dbeee84de15f86df...@syzkaller.appspotmail.com https://syzkaller.appspot.com/bug?id=4a27b9fe074f8d4b0afbe22969339b8dfdb157e8 To generate a diff of this commit: cvs rdiff -u -r1.115 -r1.116 src/sys/fs/tmpfs/tmpfs_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/fs/tmpfs/tmpfs_subr.c diff -u src/sys/fs/tmpfs/tmpfs_subr.c:1.115 src/sys/fs/tmpfs/tmpfs_subr.c:1.116 --- src/sys/fs/tmpfs/tmpfs_subr.c:1.115 Sat Apr 29 06:29:55 2023 +++ src/sys/fs/tmpfs/tmpfs_subr.c Sat Apr 29 08:13:27 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $ */ +/* $NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $ */ /* * Copyright (c) 2005-2020 The NetBSD Foundation, Inc. @@ -73,7 +73,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $"); #include <sys/param.h> #include <sys/cprng.h> @@ -907,6 +907,9 @@ tmpfs_reg_resize(struct vnode *vp, off_t KASSERT(vp->v_type == VREG); KASSERT(newsize >= 0); + if (newsize > __type_max(off_t) - PAGE_SIZE + 1) + return EFBIG; + oldsize = node->tn_size; oldpages = round_page(oldsize) >> PAGE_SHIFT; newpages = round_page(newsize) >> PAGE_SHIFT;