From 9f05044c50d7c8931037a499c36fde108e6e317c Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Wed, 3 Feb 2021 10:51:37 +0100
Subject: [PATCH] Kernel: Check for off_t overflow before reading/writing
 InodeFile

Let's double-check before calling the Inode. This way we don't have to
trust every Inode subclass to validate user-supplied inputs.
---
 Kernel/FileSystem/InodeFile.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Kernel/FileSystem/InodeFile.cpp b/Kernel/FileSystem/InodeFile.cpp
index 6773324b43..fe52944006 100644
--- a/Kernel/FileSystem/InodeFile.cpp
+++ b/Kernel/FileSystem/InodeFile.cpp
@@ -48,6 +48,9 @@ InodeFile::~InodeFile()
 
 KResultOr<size_t> InodeFile::read(FileDescription& description, size_t offset, UserOrKernelBuffer& buffer, size_t count)
 {
+    if (Checked<off_t>::addition_would_overflow(offset, count))
+        return EOVERFLOW;
+
     ssize_t nread = m_inode->read_bytes(offset, count, buffer, &description);
     if (nread > 0) {
         Thread::current()->did_file_read(nread);
@@ -60,6 +63,9 @@ KResultOr<size_t> InodeFile::read(FileDescription& description, size_t offset, U
 
 KResultOr<size_t> InodeFile::write(FileDescription& description, size_t offset, const UserOrKernelBuffer& data, size_t count)
 {
+    if (Checked<off_t>::addition_would_overflow(offset, count))
+        return EOVERFLOW;
+
     ssize_t nwritten = m_inode->write_bytes(offset, count, data, &description);
     if (nwritten > 0) {
         m_inode->set_mtime(kgettimeofday().tv_sec);