Check read() and write() for offset + count wraparound

If you gave a file a very large count and the sum offset + count wrapped
around, you could confuse the system into thinking you had a smaller
file.

Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>

kern/src/ns/fs_file.c

diff --git a/kern/src/ns/fs_file.c b/kern/src/ns/fs_file.c
index 2605055..09aa073 100644
--- a/kern/src/ns/fs_file.c
+++ b/kern/src/ns/fs_file.c
@@ -360,6 +360,8 @@
 	/* These errors should have been caught by higher level code */
 	if ((uintptr_t)buf + count < (uintptr_t)buf)
 		panic("Bad buf %p + count %p", buf, count);
+	if (offset + count < offset)
+		panic("Bad offset %p + count %p", offset, count);
 	if (waserror()) {
 		if (so_far) {
 			poperror();
@@ -409,6 +411,8 @@
 	/* These errors should have been caught by higher level code */
 	if ((uintptr_t)buf + count < (uintptr_t)buf)
 		panic("Bad buf %p + count %p", buf, count);
+	if (offset + count < offset)
+		panic("Bad offset %p + count %p", offset, count);
 	if (waserror()) {
 		if (so_far) {
 			write_metadata(f, offset + so_far, false);

kern/src/ns/sysfile.c

diff --git a/kern/src/ns/sysfile.c b/kern/src/ns/sysfile.c
index ad13b8b..34e65f0 100644
--- a/kern/src/ns/sysfile.c
+++ b/kern/src/ns/sysfile.c
@@ -752,6 +752,8 @@
 			off = *offp;
 		if (off < 0)
 			error(EINVAL, ERROR_FIXME);
+		if ((off64_t)off + (size_t)n < (off64_t)off)
+			error(EINVAL, "bad offset %p + count %p", off, n);
 		if (off == 0) {
 			if (offp == NULL) {
 				spin_lock(&c->lock);
@@ -1121,6 +1123,8 @@
 	}
 	if (off < 0)
 		error(EINVAL, ERROR_FIXME);
+	if ((off64_t)off + (size_t)n < (off64_t)off)
+		error(EINVAL, "bad offset %p + count %p", off, n);
 	m = devtab[c->type].write(c, va, n, off);
 	poperror();