diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2025-04-06 22:51:53 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2025-04-07 11:59:57 +0000 |
| commit | 82d8c609cfb7c6d8a9da8e30efa54240f293359e (patch) | |
| tree | 1e6656cfc85aac730b353d579d403d96375aa7a4 /contrib/bind/lib/irs/(developers-only) | |
| parent | da05ca9ab655272569f4af99c86d2aff97a0d2ab (diff) | |
posixshm: Fix range locking in shm_write()
There is a somewhat strange case where when writing to a POSIX shm
object, the object is not allowed to grow, and the I/O offset+length
overflows. In that case we simply truncate the I/O to the object size.
Later we write-lock the range [offset, objsize). However, we were not
checking whether offset > objsize, in which case we're writing zero
bytes but locking an invalid range.
Modify the range locking in shm_write() to take this possibility into
account. While here, rename a variable to make its purpose a bit more
clear, and add an assertion against negative offsets (which is supposed
to be enforced by the caller of fo_write for I/O to files that aren't
character devices).
Reported by: syzkaller
Reviewed by: kevans, kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49673
Diffstat (limited to 'contrib/bind/lib/irs/(developers-only)')
0 files changed, 0 insertions, 0 deletions