From ee8a225221fd82e175a54203d29451ed9dd42a04 Mon Sep 17 00:00:00 2001 From: visa Date: Wed, 1 Jun 2022 14:18:43 +0000 Subject: [PATCH] Fix ambiguity with lock range end When the user requests a lock range that ends at LLONG_MAX, replace the end point with the special EOF value -1. This avoids ambiguity with lf_end in lf_split(). The ambiguity could result in a broken data structure. This change is visible to userspace in a corner case. When a lock range has been requested with an end point at absolute position LLONG_MAX, fcntl(F_GETLK) returns l_len == 0, instead of a positive value, for that range. This seems consistent with FreeBSD and Linux. OK anton@ Reported-by: syzbot+c93afea6c27a3fa3af39@syzkaller.appspotmail.com --- sys/kern/vfs_lockf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/kern/vfs_lockf.c b/sys/kern/vfs_lockf.c index b2a6af5c0ae..a7c6784fcd0 100644 --- a/sys/kern/vfs_lockf.c +++ b/sys/kern/vfs_lockf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_lockf.c,v 1.47 2022/06/01 14:16:28 visa Exp $ */ +/* $OpenBSD: vfs_lockf.c,v 1.48 2022/06/01 14:18:43 visa Exp $ */ /* $NetBSD: vfs_lockf.c,v 1.7 1996/02/04 02:18:21 christos Exp $ */ /* @@ -251,6 +251,9 @@ lf_advlock(struct lockf_state **state, off_t size, caddr_t id, int op, if (fl->l_len - 1 > LLONG_MAX - start) return (EOVERFLOW); end = start + (fl->l_len - 1); + /* Avoid ambiguity at the end of the range. */ + if (end == LLONG_MAX) + end = -1; } else if (fl->l_len < 0) { if (start + fl->l_len < 0) return (EINVAL); -- 2.20.1