splice: return EINVAL is len is negative

Reported-by: syzbot+0268cc591c0f517a1de0@syzkaller.appspotmail.com PiperOrigin-RevId: 337901664
author: Andrei Vagin <avagin@google.com> 2020-10-19 11:51:15 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-10-19 11:52:51 -0700
commit: cd108432a50ec777ce92f9d207154173e3f0b665 (patch)
tree: e62fe4c644306ded4d6245d4b582b7f69cddf369 /pkg/sentry/syscalls
parent: c206fcbfc2b951a49798a1b84e9cd3c6097ffdca (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/pkg/sentry/syscalls/linux/vfs2/splice.go b/pkg/sentry/syscalls/linux/vfs2/splice.go
index bf5c1171f..035e2a6b0 100644
--- a/pkg/sentry/syscalls/linux/vfs2/splice.go
+++ b/pkg/sentry/syscalls/linux/vfs2/splice.go
@@ -45,6 +45,9 @@ func Splice(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscal
 	if count > int64(kernel.MAX_RW_COUNT) {
 		count = int64(kernel.MAX_RW_COUNT)
 	}
+	if count < 0 {
+		return 0, nil, syserror.EINVAL
+	}
 
 	// Check for invalid flags.
 	if flags&^(linux.SPLICE_F_MOVE|linux.SPLICE_F_NONBLOCK|linux.SPLICE_F_MORE|linux.SPLICE_F_GIFT) != 0 {
@@ -192,6 +195,9 @@ func Tee(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.SyscallCo
 	if count > int64(kernel.MAX_RW_COUNT) {
 		count = int64(kernel.MAX_RW_COUNT)
 	}
+	if count < 0 {
+		return 0, nil, syserror.EINVAL
+	}
 
 	// Check for invalid flags.
 	if flags&^(linux.SPLICE_F_MOVE|linux.SPLICE_F_NONBLOCK|linux.SPLICE_F_MORE|linux.SPLICE_F_GIFT) != 0 {
author	Andrei Vagin <avagin@google.com>	2020-10-19 11:51:15 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-10-19 11:52:51 -0700
commit	cd108432a50ec777ce92f9d207154173e3f0b665 (patch)
tree	e62fe4c644306ded4d6245d4b582b7f69cddf369 /pkg/sentry/syscalls
parent	c206fcbfc2b951a49798a1b84e9cd3c6097ffdca (diff)