Kernel: Fix TmpFS resize behavior around INT32_MAX for 32-bit systems

We need some overflow checks due to the implementation of TmpFS. When size_t is 32 bits and off_t is 64 bits, we might overflow our KBuffer max size and confuse the KBuffer set_size code, causing a VERIFY failure. Make sure that resulting offset + size will fit in a size_t. Another constraint, we make sure that the resulting offset + size will be less than half of the maximum value of a size_t, because we double the KBuffer size each time we resize it.
Author: https://github.com/ADKaster Commit: https://github.com/SerenityOS/serenity/commit/3f0dcd63dcc Pull-request: https://github.com/SerenityOS/serenity/pull/8522 Reviewed-by: https://github.com/alimpfard Reviewed-by: https://github.com/awesomekling
2024-09-30 00:31:14 +00:00 · 2021-07-07 00:17:22 -06:00 · 2021-07-07 00:17:22 -06:00 · 3f0dcd63dc · 2024-07-18 09:18:50 +09:00
parent 4cc75501d7
commit 3f0dcd63dc
1 changed files with 5 additions and 2 deletions
--- a/Kernel/FileSystem/TmpFS.cpp
+++ b/Kernel/FileSystem/TmpFS.cpp
@ -159,11 +159,14 @@ KResultOr<size_t> TmpFSInode::write_bytes(off_t offset, size_t size, const UserO

    off_t old_size = m_metadata.size;
    off_t new_size = m_metadata.size;
-    if (offset + size > (size_t)new_size)
+    if (static_cast<off_t>(offset + size) > new_size)
        new_size = offset + size;

+    if (static_cast<u64>(new_size) > (NumericLimits<size_t>::max() / 2)) // on 32-bit, size_t might be 32 bits while off_t is 64 bits
+        return ENOMEM;                                                   // we won't be able to resize to this capacity
+
    if (new_size > old_size) {
-        if (m_content && m_content->capacity() >= (size_t)new_size) {
+        if (m_content && static_cast<off_t>(m_content->capacity()) >= new_size) {
            m_content->set_size(new_size);
        } else {
            // Grow the content buffer 2x the new sizeto accommodate repeating write() calls.