Page MenuHomeFreeBSD

sbuf_uionew(): sbuf_new() takes int as length
ClosedPublic

Authored by kib on Apr 13 2021, 7:15 PM.
Tags
None
Referenced Files
F161486805: D29752.id87395.diff
Sat, Jul 4, 5:55 AM
F161476172: D29752.id87394.diff
Sat, Jul 4, 4:10 AM
F161475901: D29752.id87394.diff
Sat, Jul 4, 4:07 AM
F161460698: D29752.id87396.diff
Sat, Jul 4, 12:43 AM
F161460470: D29752.id87396.diff
Sat, Jul 4, 12:40 AM
F161448078: D29752.id87397.diff
Fri, Jul 3, 9:29 PM
F161447877: D29752.id87397.diff
Fri, Jul 3, 9:26 PM
F161443904: D29752.id87395.diff
Fri, Jul 3, 8:20 PM
Subscribers

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kib requested review of this revision.Apr 13 2021, 7:15 PM
kib created this revision.
markj added inline comments.
sys/kern/subr_sbuf.c
272

This still permits userspace to trigger a large kernel allocation.

pfs_read() imposes a limit of 1MB, PFS_MAXBUFSIZ. I think this is probably a reasonable limit for writes as well?

This revision is now accepted and ready to land.Apr 13 2021, 7:38 PM

Also check against SBUF_MINSIZE

This revision now requires review to proceed.Apr 13 2021, 7:42 PM
kib marked an inline comment as done.Apr 13 2021, 7:49 PM
kib added inline comments.
sys/kern/subr_sbuf.c
272

Even 1M is arguably large kernel allocation.
Without drain, it is the only way around.

I do not want to add drain support and drain code.

kib marked an inline comment as done.

Limit pseudofs max write size to 1M

sys/kern/subr_sbuf.c
269

I suspect it should be uio->uio_resid < SBUF_MINSIZE - 1, otherwise it is impossible to write to a 1-byte file.

272

And consumers have to opt in to using sbuf drain anyway.

kib marked an inline comment as done.

SBUF_MAXSIZE - 1

This revision is now accepted and ready to land.Apr 13 2021, 8:29 PM

D29752.87397.diff looks good to me. Tested with syscall fuzzing of:

# /* 174 is freebsd6 pwrite */
#define SYS_pwritev     290
#define SYS_pwrite      476
#define SYS_preadv      289