Page MenuHomeFreeBSD

sbuf_uionew(): sbuf_new() takes int as length
ClosedPublic

Authored by kib on Apr 13 2021, 7:15 PM.

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

kib requested review of this revision.Apr 13 2021, 7:15 PM
kib created this revision.
markj added inline comments.
sys/kern/subr_sbuf.c
271

This still permits userspace to trigger a large kernel allocation.

pfs_read() imposes a limit of 1MB, PFS_MAXBUFSIZ. I think this is probably a reasonable limit for writes as well?

This revision is now accepted and ready to land.Apr 13 2021, 7:38 PM

Also check against SBUF_MINSIZE

This revision now requires review to proceed.Apr 13 2021, 7:42 PM
kib marked an inline comment as done.Apr 13 2021, 7:49 PM
kib added inline comments.
sys/kern/subr_sbuf.c
271

Even 1M is arguably large kernel allocation.
Without drain, it is the only way around.

I do not want to add drain support and drain code.

kib marked an inline comment as done.

Limit pseudofs max write size to 1M

sys/kern/subr_sbuf.c
269

I suspect it should be uio->uio_resid < SBUF_MINSIZE - 1, otherwise it is impossible to write to a 1-byte file.

271

And consumers have to opt in to using sbuf drain anyway.

kib marked an inline comment as done.

SBUF_MAXSIZE - 1

This revision is now accepted and ready to land.Apr 13 2021, 8:29 PM

D29752.87397.diff looks good to me. Tested with syscall fuzzing of:

# /* 174 is freebsd6 pwrite */
#define SYS_pwritev     290
#define SYS_pwrite      476
#define SYS_preadv      289