Enforce splice offset limits

Splice must not allow negative offsets. Writes also must not allow offset + size to overflow int64. Reads are similarly broken, but not just in splice (b/148095030). Reported-by: syzbot+0e1ff0b95fb2859b4190@syzkaller.appspotmail.com PiperOrigin-RevId: 292361208
author: Michael Pratt <mpratt@google.com> 2020-01-30 09:13:36 -0800
committer: gVisor bot <gvisor-bot@google.com> 2020-01-30 09:14:31 -0800
commit: ede8dfab3760afc8063c3418f217e52f7ec70d42 (patch)
tree: a51f17db38b31f257edc9dc471658f8fde3cb87f /pkg/sentry/fs
parent: ec0679737e8f9ab31ef6c7c3adb5a0005586b5a7 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/pkg/sentry/fs/tmpfs/inode_file.go b/pkg/sentry/fs/tmpfs/inode_file.go
index dabc10662..25abbc151 100644
--- a/pkg/sentry/fs/tmpfs/inode_file.go
+++ b/pkg/sentry/fs/tmpfs/inode_file.go
@@ -17,6 +17,7 @@ package tmpfs
 import (
 	"fmt"
 	"io"
+	"math"
 	"time"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
@@ -444,10 +445,15 @@ func (rw *fileReadWriter) WriteFromBlocks(srcs safemem.BlockSeq) (uint64, error)
 	defer rw.f.dataMu.Unlock()
 
 	// Compute the range to write.
-	end := fs.WriteEndOffset(rw.offset, int64(srcs.NumBytes()))
-	if end == rw.offset { // srcs.NumBytes() == 0?
+	if srcs.NumBytes() == 0 {
+		// Nothing to do.
 		return 0, nil
 	}
+	end := fs.WriteEndOffset(rw.offset, int64(srcs.NumBytes()))
+	if end == math.MaxInt64 {
+		// Overflow.
+		return 0, syserror.EINVAL
+	}
 
 	// Check if seals prevent either file growth or all writes.
 	switch {
author	Michael Pratt <mpratt@google.com>	2020-01-30 09:13:36 -0800
committer	gVisor bot <gvisor-bot@google.com>	2020-01-30 09:14:31 -0800
commit	ede8dfab3760afc8063c3418f217e52f7ec70d42 (patch)
tree	a51f17db38b31f257edc9dc471658f8fde3cb87f /pkg/sentry/fs
parent	ec0679737e8f9ab31ef6c7c3adb5a0005586b5a7 (diff)