preadv(2), pwrite(2): validate uio_resid
AbandonedPublic
Actions

Authored by kib on Apr 13 2021, 2:55 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Jan 1 2024, 3:26 AM

	Unknown Object (File)
	Dec 15 2023, 7:23 PM

	Unknown Object (File)
	Sep 12 2023, 4:24 PM

	Unknown Object (File)
	Jun 15 2023, 2:14 PM

	Unknown Object (File)
	Jun 13 2023, 6:44 PM

	Unknown Object (File)
	Apr 8 2023, 10:38 AM

	Unknown Object (File)
	Mar 22 2023, 8:04 AM

	Unknown Object (File)
	Nov 29 2022, 12:31 AM

View All 9 Files

Subscribers

pho

Details

Reviewers

markj

Summary

It should be greater than zero, and less than IOSIZE_MAX. Remove now redundand checks from functions calling kern_preadv() and kern_pwritev(), i.e. read/pread and write/pwrite syscalls implementations.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kib requested review of this revision.Apr 13 2021, 2:55 PM

kib created this revision.

Why is the checking in copyinuio() not sufficient?

In D29747#667120, @markj wrote:

Why is the checking in copyinuio() not sufficient?

iov_len is size_t, while uio_resid is ssize_t. When IOSIZE_MAX is unclamped, the checks in copyinuio() probably do not check much.

I think at least iov_len should be verified to fit into ssize_t, but still I believe that the final check for uio_resid in dofileread/write is useful.

Also check that each iov_len can fit into uio_resid.

This patch does not fix the issue for me using this test scenario:

pwrite.sh2 KBDownload

https://people.freebsd.org/~pho/stress/log/log0091.txt

kib abandoned this revision.Apr 13 2021, 7:13 PM