| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.1.10.0807301052180.3334@nehalem.linux-foundation.org>
Date: Wed, 30 Jul 2008 11:06:29 -0700 (PDT)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Chris Fester <cfester@....com>
cc: lkml <linux-kernel@...r.kernel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Matt Waddel <matt.waddel@...escale.com>,
Greg Ungerer <gerg@...pgear.com>
Subject: Re: [PATCH] ROMFS 0 byte file read error
On Wed, 30 Jul 2008, Chris Fester wrote:
>
> I've verified that the git tree at:
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
>
> also has the zero byte file problem for romfs. This patch
> fixes the problem. Avoids calling romfs_copyfrom when in
> the 0 size case.
Hmm. Who calls 'readpage()' with an offset past the end of the file
anyway? This _really_ shouldn't matter.
But regardless, isn't the bug that 'romfs_readpage()' sets an error bit
by default - ie even if there was no actual IO error? The thing is also
very confused about types: if it really wants to be safe in "loff_t, then
it had bettr not do the "min_t()" in just "unsigned long".
So this whole routine really seems to be much more broken than your patch
implies, and your patch just works around some brokenness.
Of course, I think it's all 32-bit and some of these problems cannot
actually happen, but wouldn't it be more obvious to rewrite it to have a
separate error return ("result") and a variable saying how much of the
page was filled ("filled")?
Something like this. UNTESTED. Pls verify and send back if this is ok. The
patch is certainly bigger, but I think that the end result is more
obvious.
Linus
---
fs/romfs/inode.c | 37 +++++++++++++++++++++++--------------
1 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/fs/romfs/inode.c b/fs/romfs/inode.c
index 8e51a2a..60d2f82 100644
--- a/fs/romfs/inode.c
+++ b/fs/romfs/inode.c
@@ -418,7 +418,8 @@ static int
romfs_readpage(struct file *file, struct page * page)
{
struct inode *inode = page->mapping->host;
- loff_t offset, avail, readlen;
+ loff_t offset, size;
+ unsigned long filled;
void *buf;
int result = -EIO;
@@ -430,21 +431,29 @@ romfs_readpage(struct file *file, struct page * page)
/* 32 bit warning -- but not for us :) */
offset = page_offset(page);
- if (offset < i_size_read(inode)) {
- avail = inode->i_size-offset;
- readlen = min_t(unsigned long, avail, PAGE_SIZE);
- if (romfs_copyfrom(inode, buf, ROMFS_I(inode)->i_dataoffset+offset, readlen) == readlen) {
- if (readlen < PAGE_SIZE) {
- memset(buf + readlen,0,PAGE_SIZE-readlen);
- }
- SetPageUptodate(page);
- result = 0;
+ size = i_size_read(inode);
+ filled = 0;
+ result = 0;
+ if (offset < size) {
+ unsigned long readlen;
+
+ size -= offset;
+ readlen = size > PAGE_SIZE ? PAGE_SIZE : size;
+
+ filled = romfs_copyfrom(inode, buf, ROMFS_I(inode)->i_dataoffset+offset, readlen);
+
+ if (filled != readlen) {
+ SetPageError(page);
+ filled = 0;
+ result = -EIO;
}
}
- if (result) {
- memset(buf, 0, PAGE_SIZE);
- SetPageError(page);
- }
+
+ if (filled < PAGE_SIZE)
+ memset(buf + filled, 0, PAGE_SIZE-filled);
+
+ if (!result)
+ SetPageUptodate(page);
flush_dcache_page(page);
unlock_page(page);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists