lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.0810091411520.3210@nehalem.linux-foundation.org>
Date:	Thu, 9 Oct 2008 14:14:19 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Miklos Szeredi <miklos@...redi.hu>
cc:	jens.axboe@...cle.com, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: splice vs O_APPEND



On Thu, 9 Oct 2008, Miklos Szeredi wrote:
> 
> The thing is, the append-only attribute is absolutely useless without
> being able to depend on it.  So in that sense I think the IS_APPEND
> issue is important, and I'm fine with your original proposal for that
> (except we don't need the IS_IMMUTABLE check).

Heh. In the meantime, I had grown to hate that more complex patch.

So because I do see your point with IS_APPEND (being different from 
O_APPEND), but because I also think that O_APPEND itself is a gray and 
murky area, I just committed the following. I doubt anybody will ever even 
notice it, but while I think it's all debatable, we might as well debate 
it with this in place. I do agree that it's "safer" behaviour.

		Linus

---
commit a05b4085484ac45558810e4c5928e5a291c20f65
Author: Linus Torvalds <torvalds@...ux-foundation.org>
Date:   Thu Oct 9 14:04:54 2008 -0700

    Don't allow splice() to files opened with O_APPEND
    
    This is debatable, but while we're debating it, let's disallow the
    combination of splice and an O_APPEND destination.
    
    It's not entirely clear what the semantics of O_APPEND should be, and
    POSIX apparently expects pwrite() to ignore O_APPEND, for example.  So
    we could make up any semantics we want, including the old ones.
    
    But Miklos convinced me that we should at least give it some thought,
    and that accepting writes at arbitrary offsets is wrong at least for
    IS_APPEND() files (which always have O_APPEND set, even if the reverse
    isn't true: you can obviously have O_APPEND set on a regular file).
    
    So disallow O_APPEND entirely for now.  I doubt anybody cares, and this
    way we have one less gray area to worry about.
    
    Reported-and-argued-for-by: Miklos Szeredi <miklos@...redi.hu>
    Cc: Jens Axboe <ens.axboe@...cle.com>
    Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>

diff --git a/fs/splice.c b/fs/splice.c
index 1bbc6f4..a1e701c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -898,6 +898,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
 	if (unlikely(!(out->f_mode & FMODE_WRITE)))
 		return -EBADF;
 
+	if (unlikely(out->f_flags & O_APPEND))
+		return -EINVAL;
+
 	ret = rw_verify_area(WRITE, out, ppos, len);
 	if (unlikely(ret < 0))
 		return ret;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ