From: Al Viro <viro@zeniv.linux.org.uk>
To: Justin Stitt <justinstitt@google.com>
Cc: Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Nathan Chancellor <nathan@kernel.org>,
Bill Wendling <morbo@google.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
llvm@lists.linux.dev, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] libfs: fix accidental overflow in offset calculation
Date: Fri, 10 May 2024 08:02:28 +0100 [thread overview]
Message-ID: <20240510070228.GY2118490@ZenIV> (raw)
In-Reply-To: <20240510063312.GX2118490@ZenIV>
On Fri, May 10, 2024 at 07:33:12AM +0100, Al Viro wrote:
> As the matter of fact, it would be interesting to find out
> which instances, if any, do *not* have that relationship
> between SEEK_CUR and SEEK_SET. If such are rare, it might
> make sense to mark them as such in file_operations and
> have vfs_llseek() check that - it would've killed a whole
> lot of boilerplate. And there it a careful handling of
> overflow checks (or a clear comment explaining what's
> going on) would make a lot more sense.
>
> IF we know that an instance deals with SEEK_CUR as SEEK_SET to
> offset + ->f_pos, we can translate SEEK_CUR into SEEK_SET
> in the caller.
FWIW, weird instances do exist.
kernel/printk/printk.c:devkmsg_llseek(), for example. Or this
gem in drivers/fsi/i2cr-scom.c:
static loff_t i2cr_scom_llseek(struct file *file, loff_t offset, int whence)
{
switch (whence) {
case SEEK_CUR:
break;
case SEEK_SET:
file->f_pos = offset;
break;
default:
return -EINVAL;
}
return offset;
}
SEEK_CUR handling in particular is just plain bogus: lseek(fd, -9, SEEK_CUR)
doing nothing to current position and returning EBADF. Even if you've done
lseek(fd, 9, SEEK_SET) just before that...
I suspect that some of those might be outright bugs; /dev/kmsg one probably
isn't, but by the look of it those should be rare.
Then there's orangefs_dir_llseek(), with strange handling of SEEK_SET
(but not SEEK_CUR); might or might not be a bug...
From the quick look it does appear that it might be a project worth
attempting - exceptions are very rare.
prev parent reply other threads:[~2024-05-10 7:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-10 0:35 [PATCH] libfs: fix accidental overflow in offset calculation Justin Stitt
2024-05-10 0:49 ` Al Viro
2024-05-10 1:04 ` Al Viro
2024-05-10 3:26 ` Justin Stitt
2024-05-10 4:48 ` Al Viro
2024-05-10 6:33 ` Al Viro
2024-05-10 7:02 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240510070228.GY2118490@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=justinstitt@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.