From 549cd26c48fe0f177c3a09db523e5b12364ce3df Mon Sep 17 00:00:00 2001
From: riastradh <riastradh@NetBSD.org>
Date: Sun, 10 Jul 2022 23:12:12 +0000
Subject: [PATCH] readv(2), writev(2): Avoid arithmetic overflow in bounds
 check.

---
 sys/kern/sys_generic.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c
index afc6d8c0a9e3..0894053933da 100644
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $	*/
+/*	$NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.133 2021/09/11 10:08:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_generic.c,v 1.134 2022/07/10 23:12:12 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -255,7 +255,8 @@ do_filereadv(int fd, const struct iovec *iovp, int iovcnt,
 		 * Therefore we must restrict the length to SSIZE_MAX to
 		 * avoid garbage return values.
 		 */
-		if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
+		if (iov->iov_len > SSIZE_MAX ||
+		    auio.uio_resid > SSIZE_MAX - iov->iov_len) {
 			error = EINVAL;
 			goto done;
 		}
@@ -456,7 +457,8 @@ do_filewritev(int fd, const struct iovec *iovp, int iovcnt,
 		 * Therefore we must restrict the length to SSIZE_MAX to
 		 * avoid garbage return values.
 		 */
-		if (iov->iov_len > SSIZE_MAX || auio.uio_resid > SSIZE_MAX) {
+		if (iov->iov_len > SSIZE_MAX ||
+		    auio.uio_resid > SSIZE_MAX - iov->iov_len) {
 			error = EINVAL;
 			goto done;
 		}