From owner-freebsd-hackers@freebsd.org Sun May 22 23:38:23 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14D9BB46178 for ; Sun, 22 May 2016 23:38:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B2AC81688; Sun, 22 May 2016 23:38:22 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id u4MNcGfe004756 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 23 May 2016 02:38:17 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua u4MNcGfe004756 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id u4MNcG2F004755; Mon, 23 May 2016 02:38:16 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 23 May 2016 02:38:16 +0300 From: Konstantin Belousov To: Conrad Meyer Cc: Dirk Engling , FreeBSD Hackers Subject: Re: read(2) and thus bsdiff is limited to 2^31 bytes Message-ID: <20160522233816.GR89104@kib.kiev.ua> References: <20160522230942.GP89104@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2016 23:38:23 -0000 On Sun, May 22, 2016 at 04:23:32PM -0700, Conrad Meyer wrote: > On Sun, May 22, 2016 at 4:09 PM, Konstantin Belousov > wrote: > > On Sun, May 22, 2016 at 03:56:33PM -0700, Conrad Meyer wrote: > >> On Sun, May 22, 2016 at 1:54 PM, Dirk Engling wrote: > >> > When trying to bsdiff two DVD images, I noticed it failing due to > >> > read(2) returning EINVAL to the tool. man 2 read says, this would only > >> > happen for a negative value for fildes, which clearly was not true. > >> > >> Actually, it's documented at the very bottom of the first section: > >> > >> ERRORS > >> The read(), readv(), pread() and preadv() system calls will succeed > >> unless: > >> ... > >> [EINVAL] The value nbytes is greater than INT_MAX. > >> > >> It does seem silly to me given nbytes is a size_t. I think it should > >> error if nbytes is greater than SSIZE_T_MAX, but on platforms where > >> size_t is larger than int (e.g. amd64) it shouldn't error for nbytes > >> in [INT_MAX, SSIZE_T_MAX - 1]. > > It does not look silly to me, due to the typical > > if (read() < 0) > > checks in the code. Even > > if (read() == -1) > > is vulnerable. > > read(2) returns ssize_t; SSIZE_MAX is not a negative result. I agree > that nbytes in [SSIZE_MAX+1, SIZE_MAX] should be disallowed (negative > ssize_t value after cast from size_t). > > > > >> > >> As far as I can tell, this INT_MAX behavior is not required by POSIX. > > From POSIX page for read(): > > RETURN VALUE > > Upon successful completion, these functions shall return a non-negative integer indicating the > > number of bytes actually read. Otherwise, the functions shall return -1 and set errno to indicate > > the error. > > There is a difference between int and ssize_t. They have different > ranges on e.g. amd64. Well, on amd64 there is sysctl debug.iosize_max_clamp, allowing large but still non-negative ios (allowed in current). Except for devices io, which are controlled by debug.devfs_iosize_max_clamp, disabled by default since I was not able to audit that many drivers.