Date: Thu, 25 Jan 2018 13:13:32 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: Bruce Evans <brde@optusnet.com.au> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r328346 - in head/sys: fs/ext2fs ufs/ffs ufs/ufs Message-ID: <8d5ddd06-14b2-e7e1-14dd-5e9d42f9b33c@FreeBSD.org> In-Reply-To: <20180126020540.B2181@besplex.bde.org> References: <201801241758.w0OHwm26063524@repo.freebsd.org> <20180126020540.B2181@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/25/18 11:28, Bruce Evans wrote: > On Wed, 24 Jan 2018, Pedro F. Giffuni wrote: > >> Log: >> ext2fs|ufs:Unsign some values related to allocation. >> >> When allocating memory through malloc(9), we always expect the >> amount of >> memory requested to be unsigned as a negative value would either >> stand for >> an error or an overflow. >> Unsign some values, found when considering the use of >> mallocarray(9), to >> avoid unnecessary casting. Also consider that indexes should be of >> at least the same size/type as the upper limit they pretend to index. > > This might not break much, but it adds many more type errors and bogus > (implicit) casts than it fixes. It actually changes the brokenness of > the > first variable touched: > >> Modified: head/sys/fs/ext2fs/ext2_lookup.c >> ============================================================================== >> >> --- head/sys/fs/ext2fs/ext2_lookup.c Wed Jan 24 17:52:06 2018 >> (r328345) >> +++ head/sys/fs/ext2fs/ext2_lookup.c Wed Jan 24 17:58:48 2018 >> (r328346) >> @@ -145,9 +145,9 @@ ext2_readdir(struct vop_readdir_args *ap) >> off_t offset, startoffset; >> size_t readcnt, skipcnt; >> ssize_t startresid; >> - int ncookies; >> int DIRBLKSIZ = VTOI(ap->a_vp)->i_e2fs->e2fs_bsize; >> int error; >> + u_int ncookies; > > The first bug is only a style bug (unsorting the u_int after the ints > even > when its variable was accidentally already before the ints. > Yup, my error. >> >> if (uio->uio_offset < 0) >> return (EINVAL); > > That is the only change in this file. No comment on other changes. > > ncookies is mostly used in contexts other than for multiplying by it > before > calling malloc(), and its type is now inconsistent with most other > places. > > The other places are: > > X ncookies = uio->uio_resid; > > This has a more serious type error and consequent overflow bugs. > uio_resid > used to have type int, and cookies had to have type int to match that, > else > there overflow occurs before the bounds checks. Now uio_resid has type > ssize_t, which is excessively large on 64-bit arches (64 bits then), > so the > assignment overflowed when ncookies had type int and uio_resid > INT_MAX. > Now it overflows differently when uio_resid > UINT_MAX, and unsign > extension > causes overflow when uio_resid < 0. There might be a sanity check on > uio_resid at higher levels, but I can only find a check related to EOF in > vfs_read_dirent(). > I will argue that none of the code in this function is prepared for the eventually of uio->uio_resid < 0 In that case we would have a rather spectacular failure in malloc. Unsigning ncookies is a theoretical, although likely impractical, improvement here. It is not clear to me that using int or u_int makes a difference given it is a local variable and in this scope the signedness of the variable is basically irrelevant. From a logical point of view .. we can't really have a negative number of cookies. > Next, we do some bounds checking which seems to be correct modulo > previous > overflows, and show the care needed for unsigned variables (i_size is > unsigned > and must be compared with uio_offset which is signed). > > Next, we assign ncookies, to ap_ncookies which still has the correct type > (plain signed int). If ncookies were actually large enough to need a > u_int, > or worse a 64-bit ssize_t, then this would overflow. > > Later, we KASSERT() that ncookies > 0. This might cause a compiler > warning > "unsigned comparison with 0" now that ncookies is unsigned. We count > down > ncookies, but the loop termination condition is complicated and we don't > get any benefits from the possible micro-optimization of using > ncookies as > a loop counter that counts down to 0. > > To fix the problem that mallocarray() wanted a size_t arg, ncookies could > be cast to size_t, but that would be silly. The prototype does the same > cast automatically even for cases with sign mismatches. Now malloc() > wants a type of size_t (after further breakage to change malloc()s arg > type). Many conversions are still involved, and casting would at most > limit > compiler warnings: the code is now: > > X malloc(ncookies * sizeof(*cookies), ...) > > First, ncookies and sizeof(...) are promoted to a common type. When > ncookies > was int, usually it was promoted to size_t and sizeof(...) was not > promoted. > But on exotic arches with size_t smaller than int, sizeof(...) is > promoted to > int and ncookies is not promoted. > > Next, the type of the result of the multiplication is the common type. > > Finally, the prototype used to convert to u_long, but now converts to > size_t. > When the common type is size_t, then the conversion is now null. When the > common type was int, the conversion was promotion to u_long, but it is > now > demotion to size_t. > > All this only obviously works in practice because all the variables and > the product are small, so they are smaller than all of INT_MAX, SIZE_MAX > and ULONG_MAX on all supported and unsupported arches. However, it is > hard to write bounds checks that obviously handle all cases, except > by using simple small bounds on the variables. > > It is now obvious that the bounds checking is broken for general use. > There is no obvious limit on the malloc() except the file size. > However, I think cookies are only used by nfs, so this is not a > user-serving bug. nfs just has to limit its cookie size. It seems to > use a limit of something like NFS_SRVMAXIO (128K). This also makes > the overflow from the ssize_t type error unreachable. Note that it > > So all of this actually works very unobviously in practice. The sizes > are only small because nfs is the only (?) caller and it never asks for > large sizes. > > ffs has almost the same code, so has the same fragility. > > This fragility goes back to at least FreeBSD-3, but for ffs it was > only in the big-endian case then (this is the case which always had > to copy and convert the on-disk layout). This changed relatively > recently, because the ffs on-disk layout only matches struct dirent > for 32-bit ino_t. > > Bruce > Pedro.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8d5ddd06-14b2-e7e1-14dd-5e9d42f9b33c>