Page MenuHomeFreeBSD
Differential D54258

tmpfs: Fix comparison in tmpfs_extattr_update_mem()
AbandonedPublic
Actions

Authored by markj on Tue, Dec 16, 5:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 17, 4:55 AM
Unknown Object (File)
Wed, Dec 17, 4:54 AM
Unknown Object (File)
Wed, Dec 17, 3:17 AM
Unknown Object (File)
Wed, Dec 17, 3:13 AM
Unknown Object (File)
Wed, Dec 17, 2:54 AM
Subscribers
imp

Details

Reviewers
fsu
kib
Summary

The tm_ea_memory_inuse and tm_ea_memory_max fields are unsigned, so the
signed "size" is promoted to unsigned before the comparison. When
"size" is negative, this will not work as expected.

Reported by: Kevin Day <kevin@your.org>
Fixes: 56242a4c6566 ("Add extended attributes")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 69305
Build 66188: arc lint + arc unit

Event Timeline

markj created this revision.Tue, Dec 16, 5:23 PM
Herald added a subscriber: imp. · View Herald TranscriptTue, Dec 16, 5:23 PM
markj requested review of this revision.Tue, Dec 16, 5:23 PM
Harbormaster completed remote builds in B69305: Diff 168203.Tue, Dec 16, 5:23 PM
kib added a comment.Tue, Dec 16, 6:27 PM

This is only relevant for 32bit arches, am I right? (I do not claim that it is not a bug to fix).

markj added a comment.Tue, Dec 16, 8:21 PM
In D54258#1239826, @kib wrote:

This is only relevant for 32bit arches, am I right? (I do not claim that it is not a bug to fix).

Hmm, now that I look at it again, I think this patch is just bogus, and there is no problem. If size < 0 and size is promoted to an unsigned type, addition with tm_ea_memory_inuse will cause wraparound and the result will be correct. It does not make much sense to perform the comparison at all if size < 0, but I think there is no problem, even on 32-bit arches. I did not test it at all yet.

kib added a comment.Wed, Dec 17, 3:50 AM
In D54258#1239897, @markj wrote:
In D54258#1239826, @kib wrote:

This is only relevant for 32bit arches, am I right? (I do not claim that it is not a bug to fix).

Hmm, now that I look at it again, I think this patch is just bogus, and there is no problem. If size < 0 and size is promoted to an unsigned type, addition with tm_ea_memory_inuse will cause wraparound and the result will be correct. It does not make much sense to perform the comparison at all if size < 0, but I think there is no problem, even on 32-bit arches. I did not test it at all yet.

I mean, on 64bit ssize_t is same sizeof() as ea_memory_inuse, so promotion to unsigned then results in the expected wraparound. On 32bit, size is 32bit, and my wrong thought was that unsigned promotion would be to uint32_t, but really it promotes to uint64_t and properly propagates sign into the upper word. So indeed, the change should be not needed.

markj abandoned this revision.Wed, Dec 17, 1:32 PM

Sorry for the noise.

Revision Contents
Changeset List

PathSize
sys/
fs/
tmpfs/
3 lines

Diff 168203

View Options

sys/fs/tmpfs/tmpfs_vnops.c

Loading...