From nobody Sun Feb  8 04:13:28 2026
Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com
 [209.85.128.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8691626ED33
	for <linux-kernel@vger.kernel.org>; Fri, 19 Dec 2025 12:53:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766148785; cv=none;
 b=FcLk63bWlduxjj/AqbLV3k88WMEv14aDDSgtXuk2HycjMSeOdbLzJ/S9YU9n02u6Og0wPbQbe63zXvoLjVQ+lv9lh3bdEExZw2r2XFOYvUaQEBsqMOcrDIuOiI+GdseMf15lxLCk6BVlg/oRvMXt7vRwNlRhtp7pdXRWnpBLe4Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766148785; c=relaxed/simple;
	bh=ArrP/S3Oms93UlPGryLQzcoM430v0Q75MneOqIi7T0c=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=RNoU/9eOgChNtPTEgEhprc1wWZsqCJPIaAan/w4mP/meqVgogRlhk3vrhc68V0JzljDbsYuSHluPtNWNhBA8fEIh6ly9cCaLrefk+VWe0StSVJkyo4RzyKJVxZ6g3Keu3WQF8+vpRVXIEI9qtpxBtFieJ19n7jnn2nMbgAYJk3Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=UuKJ0f9V; arc=none smtp.client-ip=209.85.128.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="UuKJ0f9V"
Received: by mail-wm1-f48.google.com with SMTP id
 5b1f17b1804b1-47a80d4a065so8541175e9.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Dec 2025 04:53:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766148782; x=1766753582;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=/uDBFn1BbWxFA1t/QqkhUGtx2KQ66w7VcfAqzK8Kwrc=;
        b=UuKJ0f9Vcv5a94nKCbExMypTzWlDacz/v/05we06XXADq/3+XKKQ8HDrxnw1SiXiw9
         edjFS0EJzcl8bZx3ATYHTbON+4UCSquDT3pBb41YTTTwbIaJdVwKJInNy8svaWEesSrZ
         3faPUOAeW9SAewHO3Q71ZSIWa42z3vtrfXRb2pS2N5X/io85xmTPHr2ftBs61rIic4yS
         0OZaFpZzi4D0V8qm81vD1yv0ywT+6FXJ+zjtHG91Sgpqja3iYNSNM0xfAG7s+Ehb7kJu
         nK+IyilAUfxMOFzi3iDkoLofGuZoQAYHYK0uu2OCFx0owNO11rNi54Iv2vjoZY4ElfQ6
         AtUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766148782; x=1766753582;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/uDBFn1BbWxFA1t/QqkhUGtx2KQ66w7VcfAqzK8Kwrc=;
        b=KOKdoWaru7RUycJ6JK4NdaSOChgbrQyx9mIRactt4EAS2sheAb4zD+NjLqpSMT9bfn
         lhrPKxP3yW8BlZz9vjwWbOFA53F5XoTWQz0kmZ9e+cLEd2JrXuUHB5c3NCB/seY6o+Cx
         nUht9Qa3WBiIxGBT5s8Qik5Oua82d466dl71N/9lIxygpoe6hxN6x1Rl6HsJ2f29zyNy
         U+KHd7/tWNLpJOE4YLdbcHtupOjxHWQlfu/Lob0bh9yMzIhj3RvottWdJnEKsVcBwqlc
         ciONvNYT6KFTJK/i6EqZVqnziaDvPw5u5uYSbq6O3fp9XGrhVhczWpTuIMRXGXIyu3Fc
         J4Kg==
X-Gm-Message-State: AOJu0YxnI5zDm0I6enccz6+NblCrYeWu1ZW3INQgq/JehrBVZOS2NvYi
	e+iZhzqYcnAf35w2ruYwXxD8NJCClbxYNKLHUdhBNQPgtQboVCNGmSP4
X-Gm-Gg: AY/fxX7lzVwjBOfZ1MPNmFk7GbvDlCAVjHpmCz9Jlkx7J6b8EE6+BntCbX1kR0zSYpa
	09wf2TmjwyKDQX3Ivp8UuS7Nwh7WkLbBJZDTo09vvTt1u4XFfcKEUVcIvJaKNaJX0zv8DUyxAkg
	9fQaXajH0SNZa5gPKPrHPgRSdl5WH10q+E3N7Rblhy6vt9QH1DypNO6HL+PSPL1u0awoGoBz6mi
	Q7nfvrbAhGXFM4HEfBFOZXZo5EaF9La4yzzau4j+YMQTLQokkzIsYEEch3OjqMLsnE73TIc+1Xn
	3YMc0W95ffZYWUvKs0KX+5w0I+rhii5mfiZWTobufI1Rq54MxT+2BxCA/B8fMRGJWZ6eYmJ+3xw
	4KKxxXo8uSTP0ZSgtKyYPvZHStXe5pQ1DzF5KofJUdxNvqh8Mgdh3f3rSO2Q1oRknom+PqGEYzK
	Yo3y/yn+FgFpTrRDR0tczjaWLSmv6W/7nQ4b1NcAc5GmzNvU7ivGP9vvg=
X-Google-Smtp-Source: 
 AGHT+IG/4WVYby91raQvULeU5UVy8iqdXsRNTHT250TgwsK/dFi0hoh2g04FAfwf+LZSN1X5mfA6TA==
X-Received: by 2002:a05:600c:540e:b0:47a:7fd0:9f01 with SMTP id
 5b1f17b1804b1-47d195522f7mr26651655e9.16.1766148781700;
        Fri, 19 Dec 2025 04:53:01 -0800 (PST)
Received: from turbo.teknoraver.net (net-37-182-2-9.cust.vodafonedsl.it.
 [37.182.2.9])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-47d193d5372sm45509385e9.14.2025.12.19.04.53.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Dec 2025 04:53:00 -0800 (PST)
From: Matteo Croce <technoboy85@gmail.com>
X-Google-Original-From: Matteo Croce <teknoraver@meta.com>
To: linux-fsdevel@vger.kernel.org,
	Christian Brauner <brauner@kernel.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] fs: fix overflow check in rw_verify_area()
Date: Fri, 19 Dec 2025 13:52:50 +0100
Message-ID: <20251219125250.65245-1-teknoraver@meta.com>
X-Mailer: git-send-email 2.52.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The overflow check in rw_verify_area() can itself overflow when
pos + count > LLONG_MAX, causing the sum to wrap to a negative value
and incorrectly return -EINVAL.

This can be reproduced easily by creating a 20 MB file and reading it
via splice() and a size of 0x7FFFFFFFFF000000. The syscall fails
when the file pos reaches 16 MB.

splice(3, NULL, 6, NULL, 9223372036837998592, 0) =3D 262144
splice(3, NULL, 6, NULL, 9223372036837998592, 0) =3D 262144
splice(3, NULL, 6, NULL, 9223372036837998592, 0) =3D -1 EINVAL (Invalid arg=
ument)

This can probably be triggered in other ways given that coreutils often
uses SSIZE_MAX as size argument[1][2]

[1] https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/src/cat.c?h=
=3Dv9.9#n505
[2] https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/src/copy-file=
-data.c?h=3Dv9.9#n130
---
 fs/read_write.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 833bae068770..8cb4f5bba592 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -464,9 +464,13 @@ int rw_verify_area(int read_write, struct file *file, =
const loff_t *ppos, size_t
 				return -EINVAL;
 			if (count >=3D -pos) /* both values are in 0..LLONG_MAX */
 				return -EOVERFLOW;
-		} else if (unlikely((loff_t) (pos + count) < 0)) {
-			if (!unsigned_offsets(file))
-				return -EINVAL;
+		} else {
+			/* Clamp count to MAX_RW_COUNT for overflow check. */
+			loff_t end =3D min_t(loff_t, count, MAX_RW_COUNT);
+			if (unlikely(end > LLONG_MAX - pos)) {
+				if (!unsigned_offsets(file))
+					return -EINVAL;
+			}
 		}
 	}
=20
--=20
2.52.0