Don't allow read/write when offset+size overflows.

PiperOrigin-RevId: 306348346
author: Nicolas Lacasse <nlacasse@google.com> 2020-04-13 17:58:52 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-04-13 18:00:17 -0700
commit: 71e6ac3e1f551cf52166bf501de114f06502b994 (patch)
tree: da47d4a0d643d4aa0e446a94aa760e991a2d09fc /pkg/sentry/syscalls/linux/vfs2
parent: d303684d7ab9b8a3961398fcf12560956ee9e2e3 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/pkg/sentry/syscalls/linux/vfs2/read_write.go b/pkg/sentry/syscalls/linux/vfs2/read_write.go
index 35f6308d6..898b190fd 100644
--- a/pkg/sentry/syscalls/linux/vfs2/read_write.go
+++ b/pkg/sentry/syscalls/linux/vfs2/read_write.go
@@ -130,8 +130,8 @@ func Pread64(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysca
 	}
 	defer file.DecRef()
 
-	// Check that the offset is legitimate.
-	if offset < 0 {
+	// Check that the offset is legitimate and does not overflow.
+	if offset < 0 || offset+int64(size) < 0 {
 		return 0, nil, syserror.EINVAL
 	}
 
@@ -362,8 +362,8 @@ func Pwrite64(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sysc
 	}
 	defer file.DecRef()
 
-	// Check that the offset is legitimate.
-	if offset < 0 {
+	// Check that the offset is legitimate and does not overflow.
+	if offset < 0 || offset+int64(size) < 0 {
 		return 0, nil, syserror.EINVAL
 	}
author	Nicolas Lacasse <nlacasse@google.com>	2020-04-13 17:58:52 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-04-13 18:00:17 -0700
commit	71e6ac3e1f551cf52166bf501de114f06502b994 (patch)
tree	da47d4a0d643d4aa0e446a94aa760e991a2d09fc /pkg/sentry/syscalls/linux/vfs2
parent	d303684d7ab9b8a3961398fcf12560956ee9e2e3 (diff)