Fix ambiguity with lock range end

When the user requests a lock range that ends at LLONG_MAX, replace
the end point with the special EOF value -1. This avoids ambiguity
with lf_end in lf_split(). The ambiguity could result in a broken
data structure.

This change is visible to userspace in a corner case. When a lock range
has been requested with an end point at absolute position LLONG_MAX,
fcntl(F_GETLK) returns l_len == 0, instead of a positive value, for that
range. This seems consistent with FreeBSD and Linux.

OK anton@

Reported-by: syzbot+c93afea6c27a3fa3af39@syzkaller.appspotmail.com

diff --git a/sys/kern/vfs_lockf.c b/sys/kern/vfs_lockf.c
index b2a6af5..a7c6784 100644 (file)
--- a/sys/kern/vfs_lockf.c
+++ b/sys/kern/vfs_lockf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vfs_lockf.c,v 1.47 2022/06/01 14:16:28 visa Exp $     */
+/*     $OpenBSD: vfs_lockf.c,v 1.48 2022/06/01 14:18:43 visa Exp $     */
 /*     $NetBSD: vfs_lockf.c,v 1.7 1996/02/04 02:18:21 christos Exp $   */
 
 /*
@@ -251,6 +251,9 @@ lf_advlock(struct lockf_state **state, off_t size, caddr_t id, int op,
                if (fl->l_len - 1 > LLONG_MAX - start)
                        return (EOVERFLOW);
                end = start + (fl->l_len - 1);
+               /* Avoid ambiguity at the end of the range. */
+               if (end == LLONG_MAX)
+                       end = -1;
        } else if (fl->l_len < 0) {
                if (start + fl->l_len < 0)
                        return (EINVAL);