Page MenuHomeFreeBSD
Differential D49673

posixshm: Fix range locking in shm_write()
ClosedPublic
Actions

Authored by markj on Apr 5 2025, 4:38 PM.
Tags
None
Referenced Files
F130900799: D49673.id.diff
Fri, Oct 3, 7:36 AM
Unknown Object (File)
Sat, Sep 27, 7:22 AM
Unknown Object (File)
Fri, Sep 26, 10:29 PM
Unknown Object (File)
Wed, Sep 24, 5:45 AM
Unknown Object (File)
Fri, Sep 19, 1:16 PM
Unknown Object (File)
Mon, Sep 15, 2:24 PM
Unknown Object (File)
Sun, Sep 14, 7:09 PM
Unknown Object (File)
Aug 16 2025, 5:27 PM
View All 42 Files
Subscribers
glebius
imp
olce

Details

Reviewers
kib
kevans
Commits
rG1065a7ebdeb8: posixshm: Fix range locking in shm_write()
rG82d8c609cfb7: posixshm: Fix range locking in shm_write()
Summary

There is a somewhat strange case where when writing to a POSIX shm
object, the object is not allowed to grow, and the I/O offset+length
overflows. In that case we simply truncate the I/O to the object size.
Later we write-lock the range [offset, objsize). However, we were not
checking whether offset > objsize, in which case we're writing zero
bytes but locking an invalid range.

Modify the range locking in shm_write() to take this possibility into
account. While here, rename a variable to make its purpose a bit more
clear, and add an assertion against negative offsets (which is supposed
to be enforced by the caller of fo_write for I/O to files that aren't
character devices).

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 63335
Build 60219: arc lint + arc unit

Event Timeline

markj created this revision.Apr 5 2025, 4:38 PM
Herald added subscribers: olce, glebius, imp. · View Herald TranscriptApr 5 2025, 4:38 PM
markj requested review of this revision.Apr 5 2025, 4:38 PM
Harbormaster completed remote builds in B63335: Diff 153177.Apr 5 2025, 4:38 PM
markj added a comment.Apr 5 2025, 4:39 PM

Reported by: syzkaller

In particular, this tripped an assertion I added locally to kern_rangelock.c which checks that the range passed in has start <= end.

kib accepted this revision.Apr 5 2025, 9:27 PM
This revision is now accepted and ready to land.Apr 5 2025, 9:27 PM
kevans accepted this revision.Apr 6 2025, 8:58 PM
Closed by commit rG82d8c609cfb7: posixshm: Fix range locking in shm_write() (authored by markj). · Explain WhyApr 7 2025, 12:01 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG82d8c609cfb7: posixshm: Fix range locking in shm_write().
markj added a commit: rG1065a7ebdeb8: posixshm: Fix range locking in shm_write().Apr 24 2025, 1:21 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
17 lines

Diff 153177

View Options

sys/kern/uipc_shm.c

Loading...