This is the mail archive of the
mailing list for the glibc project.
Re: [patch] Fix BZ 19165 -- overflow in fread / fwrite
- From: Rich Felker <dalias at libc dot org>
- To: zackw at panix dot com
- Cc: Florian Weimer <fweimer at redhat dot com>, Paul Eggert <eggert at cs dot ucla dot edu>, Alexander Cherepanov <ch3root at openwall dot com>, "Joseph S. Myers" <joseph at codesourcery dot com>, Paul Pluzhnikov <ppluzhnikov at google dot com>, GLIBC Devel <libc-alpha at sourceware dot org>
- Date: Thu, 11 Feb 2016 10:30:54 -0500
- Subject: Re: [patch] Fix BZ 19165 -- overflow in fread / fwrite
- Authentication-results: sourceware.org; auth=none
- References: <CALoOobOn9ni8FXK3W4ZGAEHSnYAEVUn10agEyC8NO62TyWg0ig at mail dot gmail dot com> <562FC0A8 dot 1080603 at openwall dot com> <CALoOobOxcxieyrfNf9Eg=wmymDyKUPZ_F+atPP+Af8dyYjez_w at mail dot gmail dot com> <5665D571 dot 3090504 at cs dot ucla dot edu> <CALoOobOm6waSvc+pS0DeNFDUq11MNL3xn0XeRNp2vVyOw7=pBA at mail dot gmail dot com> <5669D744 dot 5030307 at redhat dot com> <CALoOobNKxTg29=U_V00wTub5u_GdC3-LiEK-zEFgoW8r_s4RXw at mail dot gmail dot com> <20160211022624 dot GI9349 at brightrain dot aerifal dot cx> <56BC7CEF dot 5000305 at redhat dot com> <CAKCAbMjJ367xRSPwCo-jyTZNvH9P10dU1H7wZmuuKnAHDr+pGA at mail dot gmail dot com>
On Thu, Feb 11, 2016 at 08:50:58AM -0500, Zack Weinberg wrote:
> On Feb 11, 2016 7:22 AM, "Florian Weimer" <email@example.com> wrote:
> > On 02/11/2016 03:26 AM, Rich Felker wrote:
> > > I think the problem may be even worse than we all expected. I've been
> > > trying to fix the corresponding issue in musl, and it looks like the
> > > _kernel_ is spuriously failing these reads with EFAULT by pre-checking
> > > the validity of the potential destination address range rather than
> > > only checking if there would actually be data to copy.
> > Yes, system call behavior in this area is fairly regular: if a memory
> > region is passed, it is checked for validity as a whole, and not just
> > for the parts that are actually needed. By now, this is part of the
> > user space interface, and probably cannot change without breaking
> > backwards compatibility.
> Also, the kernel might need to finalize access checks and wire down the
> pages for DMA before it even knows how much data is available.
That makes no sense except for O_DIRECT wackiness where I doubt anyone
cares about correctness/standards. Normal file reads should always be
DMA into the fs cache followed by memcpy to the caller's buffer.