[PATCH] fs: fix overflow check in rw_verify_area()
From: Matteo Croce
Date: Fri Dec 19 2025 - 07:53:03 EST
The overflow check in rw_verify_area() can itself overflow when
pos + count > LLONG_MAX, causing the sum to wrap to a negative value
and incorrectly return -EINVAL.
This can be reproduced easily by creating a 20 MB file and reading it
via splice() and a size of 0x7FFFFFFFFF000000. The syscall fails
when the file pos reaches 16 MB.
splice(3, NULL, 6, NULL, 9223372036837998592, 0) = 262144
splice(3, NULL, 6, NULL, 9223372036837998592, 0) = 262144
splice(3, NULL, 6, NULL, 9223372036837998592, 0) = -1 EINVAL (Invalid argument)
This can probably be triggered in other ways given that coreutils often
uses SSIZE_MAX as size argument[1][2]
[1] https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/src/cat.c?h=v9.9#n505
[2] https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/src/copy-file-data.c?h=v9.9#n130
---
fs/read_write.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/read_write.c b/fs/read_write.c
index 833bae068770..8cb4f5bba592 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -464,9 +464,13 @@ int rw_verify_area(int read_write, struct file *file, const loff_t *ppos, size_t
return -EINVAL;
if (count >= -pos) /* both values are in 0..LLONG_MAX */
return -EOVERFLOW;
- } else if (unlikely((loff_t) (pos + count) < 0)) {
- if (!unsigned_offsets(file))
- return -EINVAL;
+ } else {
+ /* Clamp count to MAX_RW_COUNT for overflow check. */
+ loff_t end = min_t(loff_t, count, MAX_RW_COUNT);
+ if (unlikely(end > LLONG_MAX - pos)) {
+ if (!unsigned_offsets(file))
+ return -EINVAL;
+ }
}
}
--
2.52.0