diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2021-02-15 03:34:06 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-02-16 05:09:37 +0000 |
| commit | c61fae1475f1864dc4bba667b642f279afd44855 (patch) | |
| tree | c87960f55733cebfe3de23f2ea7567a1d44a968c | |
| parent | 184c1b943937986c81e1996d999d21626ec7a4ff (diff) | |
| download | src-c61fae1475f1864dc4bba667b642f279afd44855.tar.gz src-c61fae1475f1864dc4bba667b642f279afd44855.zip | |
pgcache read: protect against reads past end of the vm object size
If uio_offset is past end of the object size, calculated resid is negative.
Delegate handling this case to the locked read, as any other non-trivial
situation.
PR: 253158
Reported by: Harald Schmalzbauer <bugzilla.freebsd@omnilan.de>
Tested by: cy
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
| -rw-r--r-- | sys/kern/vfs_vnops.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index f8943b3c07e7..71dd379558cb 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -950,6 +950,10 @@ vn_read_from_obj(struct vnode *vp, struct uio *uio) #else vsz = atomic_load_64(&obj->un_pager.vnp.vnp_size); #endif + if (uio->uio_offset >= vsz) { + error = EJUSTRETURN; + goto out; + } if (uio->uio_offset + resid > vsz) resid = vsz - uio->uio_offset; |