lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 3 Feb 2023 16:23:32 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Matthew Wilcox' <>,
        Andreas Dilger <>
CC:     "" <>,
        "" <>,
        "" <>,
        "" <>,
        "" <>,
        Hugh Dickins <>,
        "" <>,
        "" <>
Subject: RE: [PATCH 0/5] Fix a minor POSIX conformance problem

From: Matthew Wilcox
> Sent: 03 February 2023 13:21
> On Thu, Feb 02, 2023 at 04:08:49PM -0700, Andreas Dilger wrote:
> > On Feb 2, 2023, at 1:44 PM, Matthew Wilcox (Oracle) <> wrote:
> > >
> > > POSIX requires that on ftruncate() expansion, the new bytes must read
> > > as zeroes.  If someone's mmap()ed the file and stored past EOF, for
> > > most filesystems the bytes in that page will be not-zero.  It's a
> > > pretty minor violation; someone could race you and write to the file
> > > between the ftruncate() call and you reading from it, but it's a bit
> > > of a QOI violation.
> >
> > Is it possible to have mmap return SIGBUS for the writes beyond EOF?
> Well, no.  The hardware only tells us about accesses on a per-page
> basis.  We could SIGBUS on writes that _start_ after EOF, but this
> test doesn't do that (it starts before EOF and extends past EOF).
> And once the page is mapped writable, there's no page fault taken
> for subsequent writes.
> > On the one hand, that might indicate incorrect behavior of the application,
> > and on the other hand, it seems possible that the application doesn't
> > know it is writing beyond EOF and expects that data to be read back OK?
> POSIX says:
> "The system shall always zero-fill any partial page at the end of an
> object. Further, the system shall never write out any modified portions
> of the last page of an object which are beyond its end. References
> within the address range starting at pa and continuing for len bytes to
> whole pages following the end of an object shall result in delivery of
> a SIGBUS signal."

It also says (down at the bottom of the rational):

"The mmap() function can be used to map a region of memory that is larger
than the current size of the object. Memory access within the mapping but
beyond the current end of the underlying objects may result in SIGBUS
signals being sent to the process. The reason for this is that the size
of the object can be manipulated by other processes and can change at any
moment. The implementation should tell the application that a memory
reference is outside the object where this can be detected; otherwise,
written data may be lost and read data may not reflect actual data in the

There are a lot of 'may' in that sentence.
Note that it only says that 'data written beyond the current eof may be
I think that could be taken to take precedence over the zeroing clause
in ftruncate().
I'd bet a lot of beer that the original SYSV implementation (on with the
description is based) didn't zero the page buffer when ftruncate()
increased the file size.
Whether anything (important) actually relies on that is an interesting


Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists