Re: [PATCH V2] Fix return value from fstat calls

public inbox for linux-raid@vger.kernel.org
 help / color / mirror / Atom feed

From: "Tkaczyk, Mariusz" <mariusz.tkaczyk@linux.intel.com>
To: NeilBrown <neilb@suse.de>, Nigel Croxon <ncroxon@redhat.com>
Cc: jes@trained-monkey.org, xni@redhat.com, linux-raid@vger.kernel.org
Subject: Re: [PATCH V2] Fix return value from fstat calls
Date: Fri, 13 Aug 2021 09:00:24 +0200	[thread overview]
Message-ID: <5b71689a-6d07-0dfd-a4b6-26322ee3136e@linux.intel.com> (raw)
In-Reply-To: <162881060124.15074.6150940509008984778@noble.neil.brown.name>

On 13.08.2021 01:23, NeilBrown wrote:
>>
>> The fstat() function will fail if:
>> [EBADF] - The fildes argument is not a valid file descriptor.
> 
> But we never pass an invalid file descriptor
> 
We can't guarantee that. There is always a minimal chance to pass
wrong/invalid argument caused by bug somewhere else in mdadm logic.
I think that handling such case is reasonable from security point
of view but agree that it could be a dead check (if everything is
well implemented).

> And you didn't list "EFAULT", but of course we never pass an invalid
> memory address either.

As before, we can't guarantee it, too. For now it seems to be well handled
but implementation may change and vulnerability might be missed during
review. Is safer to handle that some way.

>> [EIO] - An I/O error occurred while reading from the file system.
> 
> fstat() doesn't do IO, it just reports data from the cache.
> 
>> [EOVERFLOW] - The file size in bytes or the number of blocks allocated to the file or the file serial number cannot be represented correctly in the structure pointed to by buf.
>>
>> The fstat() function may fail if:
>>
>> [EOVERFLOW] - One of the values is too large to store into the structure pointed to by the buf argument.
>>
> 
> Those don't happen in practice for the fstat() calls that mdadm makes
> either.
> 
Agree, but it could be changed.

> I think this patch is adding noise to the source code without actually
> providing any real value.  I would much prefer that if you really feel
> there is value, then just add a wrapper:
> 
> int  safe_fstat(....)
> {
>      int ret = fstat(.....);
>      char message[]="mdadm: fstat failed, so aborting\n"
>      if (ret == 0)
>           return 0;
>      write(2, message, sizeof(message)-1);
>      exit(1);
> }
> 
> Then just change every "fstat" in the code that bothers you to
> "safe_fstat()".
> 
> This approach of adding pointless checks because some static analysis
> tool thinks you should is not an approach that I approve of.

Maybe It won't be useful for users but it may help developers to avoid
trivial mistakes. As you told, if everything is fine then check is dead.
In my opinion any error handling is better than nothing.

Anyway, I think that there is a lot of more dangerous lines.

Regards,
Mariusz

next prev parent reply	other threads:[~2021-08-13  7:00 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-10 15:15 [PATCH] Fix return value from fstat calls Nigel Croxon
     [not found] ` <ed1b0603-e523-6ca6-12ce-d30a85afe885@linux.intel.com>
2021-08-11 13:06   ` Tkaczyk, Mariusz
2021-08-11 19:09 ` [PATCH V2] " Nigel Croxon
2021-08-11 22:52   ` NeilBrown
     [not found]     ` <346e8651-d861-45c7-9058-68008e691b93@Canary>
2021-08-12 23:23       ` NeilBrown
2021-08-13  7:00         ` Tkaczyk, Mariusz [this message]
2021-08-13  7:19           ` NeilBrown
2021-08-13  7:45             ` Tkaczyk, Mariusz
2021-08-13 19:19               ` Jes Sorensen
2021-08-12  6:49   ` Tkaczyk, Mariusz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5b71689a-6d07-0dfd-a4b6-26322ee3136e@linux.intel.com \
    --to=mariusz.tkaczyk@linux.intel.com \
    --cc=jes@trained-monkey.org \
    --cc=linux-raid@vger.kernel.org \
    --cc=ncroxon@redhat.com \
    --cc=neilb@suse.de \
    --cc=xni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox