This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

bug (+fix) in getdents + readdir

- The following relates to the file:
  I report more than one bug in getdents() so please bare with me :> (the
  description is actually much longer than the patch). In a nutshell, the
  following program might (nondeterministically) enter an endless-loop:

      DIR           *dir = opendir("some-autofs-directory");
      struct dirent *e;
      while( (e = readdir(dir)) != NULL ) // might never return null
          printf("ino=%d name=%s\n", e->d_ino, e->d_name)

- In the implementation of getdents(), the `d_off' field (belonging to the
  linux kernel's dirent structure) is falsely assumed to contain the *byte*
  offset to the next dirent.
  Note that the linux manual of the readdir system-call states that d_off
  is the "offset to *this* dirent" while glibc's getdents treats it as the
  offset to the *next* dirent.

- In practice, both of the above are wrong/misleading. The `d_off' field
  may contain illegal negative values, 0 (should also never happen as the
  "next" dirent's offset must always be bigger then 0), or positive values
  that are bigger than the size of the directory-file itself:

  o We're not sure what the Linux kernel intended to place in this field,
    but our experience shows that on "real" file systems (that actually
    reside on some disk) the offset seems to be a simple (not necessarily
    continuous) counter: e.g. first entry may have d_off=1, second: d_off=2,
    third: d_off=4096, fourth=d_off=4097 etc. We conjecture this is the
    serial of the dirent record within the directory (and so, this is indeed
    the "offset", but counted in records out of which some were already

  o For file systems that are maintained by the amd automounter (automount,
    directories) the d_off seems to be arbitrary (and may be negative, zero
    or beyond the scope of a 32bit integer). We conjecture the amd doesn't
    assign this field and the received values are simply garbage.

- Fortunately, there is actually no need to use d_off as all the needed
  information is embedded in the d_reclen field (dirents are consecutive
  and the "next" dirent is found exactly after the "current" dirent).
  And indeed, glibc's getdents() uses the above technique most of the time.
  But, there are certain exceptional-conditions that might trigger
  getdents() to stop using on the dependable d_reclen and start using
  the unreliable d_off (Furthermore, these exceptional-conditions are
  identified based on the unreliable information held by d_off).

- One aspect of this bug was actually reported in 2001:
  but was wrongly (IMHO) dismissed by Ulrich Drepper who claimed that the
  bug is actually in the linux-kernel. The linux-kernel folks do not intend
  to change the data of their 'struct dirent'. They want it just the way it
  is and don't care if the glibc folks "wrongly" interpret the `d_off' field.

- The bug in glibc only occurs when an "overflow" is *wrongly* detected
  (see lines: 176-183 in getdents.c).
  Overflow might happen when the kernel uses `kernel_dirent64' that contains
  64bit wide fields (d_ino & d_off), while the user uses `struct dirent'
  through readdir(3) (rather than `struct dirent64' through readdir64).
  in which the corresponding fields are 32bit wide.
  [ This is of course a legal scenario: the user shouldn't know nor care
    how the kernel implements its readdir ]

- In such an "overflow" situation, getdents() tries to lseek (the
  directory-fd) to the end of the last-legal-dirent that getdents()
  has successfully read.
  This offset is supposedly held by the local variable `last_offset'.
  But, since `last_offset' is assigned with `d_off' on each iteration,
  and since as mentioned above `d_off' usually holds an incorrect value,
  the lseek is not performed to the correct place.
  getdents() then returns the number of bytes successfully read.

- This situation of course causes the next invocation of readdir() to
  return erroneous data due to the incorrect offset associated with
  the fd.
  Furthermore, it often happens (for autofs directories that serve as
  automount points and are maintained by the amd) that the first dirent-entry
  has d_off=0 and the second dirent causes a wrong "overflow".
  In this case getdents() will return the number of bytes composing
  the first successfully read dirent, and will wrongly lseek to 0: the
  beginning of the file.
  This means that the next invocation of readdir(3) will return (again)
  the first dirent, and so on (never returning NULL), causing any
  program that uses readdir(3) to enter into an endless loop!

How to fix (the above bug + another two): ########################################

Instead of line 193:
        last_offset = d_off;
        if( last_offset == -1 )
                last_offset = 0;
        last_offset += old_reclen;

    [  This makes `last_offset' hold the *real* last offset, and prevents
       the wrong lseek() when an "overflow" occurs. It works since the
       `d_reclen' is reliable and correct, as reflected by the manner
       getdents() uses `old_reclen'  ]

2:--------------------------------------------------------------------- The condition that identifies an "overflow" situation should also be changed: Instead of lines 176-179: if ((sizeof (outp->u.d_ino) != sizeof (inp->k.d_ino) && outp->u.d_ino != d_ino) || (sizeof (outp->u.d_off) != sizeof (inp->k.d_off) && outp->u.d_off != d_off)) only write: if ( sizeof (outp->u.d_ino) != sizeof (inp->k.d_ino) && outp->u.d_ino != d_ino )

    [  I removed the right-side of the `or': since the `d_off' field is
       buggy and unusable, don't include it in the check for overflow.
       The alterative is that programs reading the content of a directory
       maintained by the amd using readdir(3), will usually fail due to
       overflow, even though the directory is prefectly fine.  ]

3:--------------------------------------------------------------------- The following is another bug I think you have (which is unrelated to the above). Instead of line 120: && nbytes <= sizeof (DIRENT_TYPE)) write: && nbytes <= sizeof (struct kernel_dirent64))

    [  The above condition decides whether the user gave a large enough
       buffer in which `struct kernel_dirent64' will fit (`nbytes' is the
       size of the user's `buf'). If `buf' is too small, a bigger buffer
       is allocated (lines 122-124) so as to be able to hold `struct
       kernel_dirent64'  ]

4:--------------------------------------------------------------------- I think the following is also an (unrelated) bug: In lines 216-221:

        red_nbytes = MIN (nbytes
                      - ((nbytes / (offsetof (DIRENT_TYPE, d_name) + 14))
                         * size_diff),
                      nbytes - size_diff);

skdp = kdp = __alloca (red_nbytes);

It is obvious that `red_nbytes' may be negative (or rather, wrapped-around),
since `nbytes' is a value given by the user (and may even be 0).

The above patch is given in the attached `getdents.diff-u' Thanks, --Dan
--- getdents.c.orig	2003-12-04 19:11:38.000000000 +0200
+++ getdents.c	2003-12-04 19:38:06.000000000 +0200
@@ -117,7 +117,7 @@
       size_t kbytes = nbytes;
       if (offsetof (DIRENT_TYPE, d_name)
 	  < offsetof (struct kernel_dirent64, d_name)
-	  && nbytes <= sizeof (DIRENT_TYPE))
+	  && nbytes <= sizeof (kernel_dirent64))
 	  kbytes = nbytes + offsetof (struct kernel_dirent64, d_name)
 		   - offsetof (DIRENT_TYPE, d_name);
@@ -175,8 +175,7 @@
 	      outp->u.d_off = d_off;
 	      if ((sizeof (outp->u.d_ino) != sizeof (inp->k.d_ino)
 		   && outp->u.d_ino != d_ino)
-		  || (sizeof (outp->u.d_off) != sizeof (inp->k.d_off)
-		      && outp->u.d_off != d_off))
+		  )
 		  /* Overflow.  If there was at least one entry
 		     before this one, return them without error,
@@ -190,7 +189,10 @@
 		  return -1;
-	      last_offset = d_off;
+	      if( last_offset == -1 )
+		last_offset = 0;
+	      last_offset += old_reclen;
 	      outp->u.d_reclen = new_reclen;
 	      outp->u.d_type = d_type;
@@ -213,6 +215,7 @@
     const size_t size_diff = (offsetof (DIRENT_TYPE, d_name)
 			      - offsetof (struct kernel_dirent, d_name));
+    /* bug? (nbytes might be smaller than right side of minus) */
     red_nbytes = MIN (nbytes
 		      - ((nbytes / (offsetof (DIRENT_TYPE, d_name) + 14))
 			 * size_diff),

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]