From owner-freebsd-hackers@freebsd.org  Sun May 22 23:41:45 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DEBCB4627A
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Sun, 22 May 2016 23:41:45 +0000 (UTC) (envelope-from joerg@bec.de)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
 [IPv6:2001:4b98:c:538::194])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 07C371A49
 for <freebsd-hackers@freebsd.org>; Sun, 22 May 2016 23:41:45 +0000 (UTC)
 (envelope-from joerg@bec.de)
Received: from mfilter14-d.gandi.net (mfilter14-d.gandi.net [217.70.178.142])
 by relay2-d.mail.gandi.net (Postfix) with ESMTP id 5DCBFC5A54
 for <freebsd-hackers@freebsd.org>; Mon, 23 May 2016 01:41:43 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter14-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194])
 by mfilter14-d.gandi.net (mfilter14-d.gandi.net [::ffff:10.0.15.180])
 (amavisd-new, port 10024)
 with ESMTP id LHa4koj7CJo4 for <freebsd-hackers@freebsd.org>;
 Mon, 23 May 2016 01:41:41 +0200 (CEST)
X-Originating-IP: 108.61.101.156
Received: from britannica.bec.de (unknown [108.61.101.156])
 (Authenticated sender: joerg@bec.de)
 by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id D4041C5A4F
 for <freebsd-hackers@freebsd.org>; Mon, 23 May 2016 01:41:40 +0200 (CEST)
Date: Mon, 23 May 2016 01:41:35 +0200
From: Joerg Sonnenberger <joerg@bec.de>
To: freebsd-hackers@freebsd.org
Subject: Re: read(2) and thus bsdiff is limited to 2^31 bytes
Message-ID: <20160522234135.GA27218@britannica.bec.de>
Mail-Followup-To: freebsd-hackers@freebsd.org
References: <b2515cae-b75d-66e9-4207-3cf100ab3ab0@erdgeist.org>
 <CAG6CVpWb7nvX+LFpLizkSx8Y-deXfXiWi=rL56iGZ71YPhmLbw@mail.gmail.com>
 <20160522230942.GP89104@kib.kiev.ua>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160522230942.GP89104@kib.kiev.ua>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 May 2016 23:41:45 -0000

On Mon, May 23, 2016 at 02:09:42AM +0300, Konstantin Belousov wrote:
> On Sun, May 22, 2016 at 03:56:33PM -0700, Conrad Meyer wrote:
> > On Sun, May 22, 2016 at 1:54 PM, Dirk Engling <erdgeist@erdgeist.org> wrote:
> > > When trying to bsdiff two DVD images, I noticed it failing due to
> > > read(2) returning EINVAL to the tool. man 2 read says, this would only
> > > happen for a negative value for fildes, which clearly was not true.
> > 
> > Actually, it's documented at the very bottom of the first section:
> > 
> > ERRORS
> >      The read(), readv(), pread() and preadv() system calls will succeed
> >      unless:
> > ...
> >      [EINVAL]           The value nbytes is greater than INT_MAX.
> > 
> > It does seem silly to me given nbytes is a size_t.  I think it should
> > error if nbytes is greater than SSIZE_T_MAX, but on platforms where
> > size_t is larger than int (e.g. amd64) it shouldn't error for nbytes
> > in [INT_MAX, SSIZE_T_MAX - 1].
> It does not look silly to me, due to the typical
> 	if (read() < 0)
> checks in the code.  Even
> 	if (read() == -1)
> is vulnerable.

But that code can already fail in a number of situations. Short reads as
well as short writes can happen in any of a number of situations.

Joerg