lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 3 Feb 2023 13:21:17 +0000
From:   Matthew Wilcox <willy@...radead.org>
To:     Andreas Dilger <adilger@...ger.ca>
Cc:     linux-fsdevel@...r.kernel.org, linux-afs@...ts.infradead.org,
        linux-btrfs@...r.kernel.org, linux-ext4@...r.kernel.org,
        linux-mm@...ck.org, Hugh Dickins <hughd@...gle.com>,
        linux-kernel@...r.kernel.org, fstests@...r.kernel.org
Subject: Re: [PATCH 0/5] Fix a minor POSIX conformance problem

On Thu, Feb 02, 2023 at 04:08:49PM -0700, Andreas Dilger wrote:
> On Feb 2, 2023, at 1:44 PM, Matthew Wilcox (Oracle) <willy@...radead.org> wrote:
> > 
> > POSIX requires that on ftruncate() expansion, the new bytes must read
> > as zeroes.  If someone's mmap()ed the file and stored past EOF, for
> > most filesystems the bytes in that page will be not-zero.  It's a
> > pretty minor violation; someone could race you and write to the file
> > between the ftruncate() call and you reading from it, but it's a bit
> > of a QOI violation.
> 
> Is it possible to have mmap return SIGBUS for the writes beyond EOF?

Well, no.  The hardware only tells us about accesses on a per-page
basis.  We could SIGBUS on writes that _start_ after EOF, but this
test doesn't do that (it starts before EOF and extends past EOF).
And once the page is mapped writable, there's no page fault taken
for subsequent writes.

> On the one hand, that might indicate incorrect behavior of the application,
> and on the other hand, it seems possible that the application doesn't
> know it is writing beyond EOF and expects that data to be read back OK?

POSIX says:

"The system shall always zero-fill any partial page at the end of an
object. Further, the system shall never write out any modified portions
of the last page of an object which are beyond its end. References
within the address range starting at pa and continuing for len bytes to
whole pages following the end of an object shall result in delivery of
a SIGBUS signal."

https://pubs.opengroup.org/onlinepubs/9699919799/functions/mmap.html

So the application can't expect to read back anything it's written
(and if you look at page writeback, we currently zero beyond EOF at
writeback time).

> IMHO, this seems better to stop the root of the problem (mmap() allowing
> bad writes), rather than trying to fix it after the fact.

That would be nice, but we're rather stuck with the hardware that exists.
IIUC Cray-1 had byte-granularity range registers, but page-granularity
is what we have.

Powered by blists - more mailing lists