From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C893F1F66E for ; Fri, 14 Aug 2020 11:14:38 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 357C73857C67; Fri, 14 Aug 2020 11:14:36 +0000 (GMT) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) by sourceware.org (Postfix) with ESMTPS id 6879C3857C52 for ; Fri, 14 Aug 2020 11:14:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6879C3857C52 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nixiaoming@huawei.com Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id E777CCC11B976DE1314B; Fri, 14 Aug 2020 19:14:24 +0800 (CST) Received: from [127.0.0.1] (10.67.102.197) by DGGEMS401-HUB.china.huawei.com (10.3.19.201) with Microsoft SMTP Server id 14.3.487.0; Fri, 14 Aug 2020 19:14:21 +0800 Subject: Re: [PATCH] io:nftw/ftw:fix stack overflow when large nopenfd [BZ #26353] To: Paul Eggert References: <20200808084640.49174-1-nixiaoming@huawei.com> <467877bb-172d-b08c-c91b-d95a65c3c31c@cs.ucla.edu> From: Xiaoming Ni Message-ID: <0da2382b-46b4-a49e-e85b-6560118fc695@huawei.com> Date: Fri, 14 Aug 2020 19:14:21 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.0.1 MIME-Version: 1.0 In-Reply-To: <467877bb-172d-b08c-c91b-d95a65c3c31c@cs.ucla.edu> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.102.197] X-CFilter-Loop: Reflected X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" On 2020/8/14 4:32, Paul Eggert wrote: > The patch isn't complete, since it doesn't check for integer overflow > when multiplying data.maxdir by sizeof (struct dir_data *), where the > function should also fail with errno == ENOMEM. You can check for > overflow via intprops.h's INT_MULTIPLY_WRAPV (data.maxdir, sizeof > (struct dir_data *)), &x) where x is of type size_t. > diff --git a/io/ftw.c b/io/ftw.c index 8c79d29a9e..094aada50c 100644 --- a/io/ftw.c +++ b/io/ftw.c @@ -643,18 +643,32 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors, __set_errno (ENOENT); return -1; } + if (descriptors > getdtablesize()) + { + __set_errno (EINVAL); + return -1; + } linux/include/uapi/linux/fs.h:38:#define INR_OPEN_MAX 4096 /* Hard limit for nfile rlimits */ When data.maxdir is less than getdtablesize(), is there still a possibility that integer overflow occurs in data.maxdir * sizeof (struct dir_data *)? > Also, doesn't 'free' preserve errno? (If not, it should.) Then you need > not set errno after malloc fails; the only time you need to set errno is > when INT_MULTIPLY_WRAPV reports an overflow. Yes, here is my mistake, the malloc function itself has set the error code in the failure branch. > > The test case should have a test that uses INT_MAX. Yes, I missed the EINVAL branch test. Thank you. I'll send the v2 patch later.