lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 26 Jan 2021 23:50:54 +0000
From:   Al Viro <>
To:     Nicolas Boichat <>
Cc:     "Darrick J . Wong" <>,
        Dave Chinner <>,
        Luis Lozano <>,
        Ian Lance Taylor <>,
        Amir Goldstein <>,
        "Darrick J. Wong" <>,
        Dave Chinner <>,,
Subject: Re: [PATCH] fs: generic_copy_file_checks: Do not adjust count based
 on file size

On Tue, Jan 26, 2021 at 01:50:22PM +0800, Nicolas Boichat wrote:
> copy_file_range (which calls generic_copy_file_checks) uses the
> inode file size to adjust the copy count parameter. This breaks
> with special filesystems like procfs/sysfs, where the file size
> appears to be zero, but content is actually returned when a read
> operation is performed.
> This commit ignores the source file size, and makes copy_file_range
> match the end of file behaviour documented in POSIX's "read",
> where 0 is returned to mark EOF. This would allow "cp" and other
> standard tools to make use of copy_file_range with the exact same
> behaviour as they had in the past.

	Proper fix is _not_ to use copy_file_range(2) in cp(1) - it's
really not universal and its implementation will *NOT* do the right
thing for most of procfs files.  Sequential read(2) (or splice(2),
for that matter) will give you consistent output; copy_file_range(2)
will not.

	What copy_file_range() does is splice from input to internal pipe
+ splice from that internal pipe to output, done in a loop.  HOWEVER,
a short write to output will discard the contents of the internal pipe
and pretend we had a short _read_ instead.  With ->f_pos updated
accordingly, so that on the next call we'd start from the place
right after everything we'd copied.  However, that will result in
implicit seek on the next call of seq_read(), with no promise whatsoever
that you won't end up with consistent records in your copy.
Short copy on read(2) will leave the rest of the record in buffer,
so the next read(2) will pick that first.

	IOW, don't expect copy_file_range() to produce usable copies
for those.  Doesn't work.  splice to explicit pipe + splice from that
pipe (without flushing the sucker) works, and if you really want
zero-copy you could use that.

	Again, use of copy_file_range(2) in cp(1) is a userland bug.
Don't do it.

Powered by blists - more mailing lists