svn commit: r230583 - head/sys/kern

Sun Jan 29 22:39:06 UTC 2012

On Sun, Jan 29, 2012, Kostik Belousov wrote:
> On Sat, Jan 28, 2012 at 07:12:25PM -0500, David Schultz wrote:
> > On Sat, Jan 28, 2012, Kostik Belousov wrote:
> > > On Fri, Jan 27, 2012 at 02:42:21PM -0500, David Schultz wrote:
> > > > On Fri, Jan 27, 2012, Kostik Belousov wrote:
> > > > > On Fri, Jan 27, 2012 at 07:50:30PM +1100, Bruce Evans wrote:
> > > > > > On Thu, 26 Jan 2012, Gleb Smirnoff wrote:
> > > > > > 
> > > > > > >On Thu, Jan 26, 2012 at 11:53:57PM +1100, Bruce Evans wrote:
> > > > > > >B> > @@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aio
> > > > > > >B> > 		return (error);
> > > > > > >B> > 	}
> > > > > > >B> >
> > > > > > >B> > +	/* XXX: aio_nbytes is later casted to signed types. */
> > > > > > >B> > +	if ((int)aiocbe->uaiocb.aio_nbytes < 0) {
> > > > > > >B>
> > > > > > >B> This should avoid implementation-defined behaviour by checking if
> > > > > > >B>
> > > > > > >B>  	(uncast)aiocbe->uaiocb.aio_nbytes > INT_MAX.
> > > > > > 
> > > > > > >Is the attached patch okay?
> > > > > > 
> > > > > > Yes.  It now matches the style used for read^Wsys_read() and friends.
> > > > > > This used to have to fit the count in "int uio_resid".  uio_resid now
> > > > > > has type ssize_t, but for some reason the old INT_MAX limits remain.
> > > > > 
> > > > > Well, I can revive the patch. I still think it is good to get rid of
> > > > > the limit.
> > > > 
> > > > The correct limit on the maximum size of a single read/write is
> > > > SSIZE_MAX, but FreeBSD uses INT_MAX.  It's not safe to raise the
> > > > limit yet, though, because of bugs in several filesystems.  For
> > > > example, FFS copies uio_resid into a local variable of type int.
> > > > I have some old patches that fix some of these issues for FFS and
> > > > cd9660, but surely there are more places I didn't notice.
> > > > 
> > > Absolutely agree.
> > > 
> > > http://people.freebsd.org/~kib/misc/uio_resid.5.patch
> > 
> > Nice.  You found a lot more than I've got in my tree, and you even
> > fixed the return values.  There are at least a few more places to
> > fix.  For instance, cd9660 and the NFS client pass uio_resid or
> > iov_len to min(), which operates on ints.  (Incidentally, C11
> > generics ought to make it possible to write type-generic min()
> > and max() functions.)
> 
> Thank you, http://people.freebsd.org/~kib/misc/uio_resid.6.patch
> changed them to MIN().

This looks good to me.  I tried to think of other places that you
might have missed, and the only one that occurred to me is the
pipe code.  sys_pipe.c has an `int orig_resid' and lots of bogus
casts of iov_len and uio_resid to type u_int.  Some look harmless,
although it appears that writing a multiple of 2^32 bytes might
result in pipe_build_write_buffer() allocating a 0-length buffer.

My only reservation is that raising the limit could unmask a
kernel buffer overflow if we missed something, but I guess we have
to cross that bridge some day anyway.