From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS31976 209.132.180.0/23 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 001A21F45E for ; Mon, 17 Feb 2020 15:19:08 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; q=dns; s=default; b=std2uHbG9M+/c+COSbcMcabS6nH5fKR1nOwYJ+EsVuy /VK4teu8//Ja1fuEMf4wwpBik2pRl5k845BbWFGCRkmK0yc6OWOtr3MEBD5lVD/G TFxlpenBBnGAr+yJGuFzFz83xO6PiBpkXdHyglm7pQrDDnZ1cx1WtnxlJlOLOOh4 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; s=default; bh=4USZeDsaKpKmEsIyUK7wDDLFeSE=; b=j1vVJs5WWaPsp1dEv LOmUP/0oXaOUw+011gJtGGKMPWve41uXQyzjYuiwO2OuYroSPUmnbwWuf3N+KONw ZO5+zbAQtyh3nSF8uKxUSdqEbpxlAWRWKCkBaOW7CpQnMTe7NCDVaf4MbP2AYe2d OdY5Hz488n+ti76YuSqovdBku4= Received: (qmail 81176 invoked by alias); 17 Feb 2020 15:19:05 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 81167 invoked by uid 89); 17 Feb 2020 15:19:05 -0000 Authentication-Results: sourceware.org; auth=none X-HELO: us-smtp-1.mimecast.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581952739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nCIJatlE09raWksjrn34NOQpqBAz6TemOeRlmZ/X5js=; b=igxr0XsuLKMhDtw3fWazlDXjDaTy90aZ5YmCirAmd0sy/SvHqmGJ7jupqt4PpPFtwWDmqa T0zeWPn8TnEh/oeQALmBvdav4rY27p7JpXX94bK/ng2eBj52cGgpYn4/gHt+5bEAa9ryU3 CQ24SRBSnzCsbnDZwGXeGWBymUvG6RI= From: Florian Weimer To: Paul Eggert Cc: libc-alpha@sourceware.org, Samuel Thibault Subject: Re: [PATCH 1/3] : Add type safety and port to Hurd References: <61b49643-9c7b-7060-6eb7-21060dd6e22f@cs.ucla.edu> <87wo8oxa63.fsf@oldenburg2.str.redhat.com> Date: Mon, 17 Feb 2020 16:18:47 +0100 In-Reply-To: (Paul Eggert's message of "Sat, 15 Feb 2020 16:02:28 -0800") Message-ID: <8736b9nsx4.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain Content-Transfer-Encoding: quoted-printable * Paul Eggert: > On 2/15/20 5:16 AM, Florian Weimer wrote: > >> INT_STRLEN_BOUND is 11, right? > > Yes, it's a bound on the string length of a printed int, and that's 11 > in the typical case of 32-bit int because the int might be negative. > I didn't lose sleep over the wasted byte, but if we want a tighter > bound then we could use INT_STRLEN_BOUND (int) - 1 instead. However, > it might be better to leave it alone so that we can use the code > below. > >> The problem is when an application passes an invalid descriptor to some >> libc function and that ends up with __fd_to_filename. We should not >> make matters worse in that case. > > If it's not a precondition that the descriptor is nonnegative, we > can't simply return a copy of FD_TO_FILENAME_PREFIX as that's an > existing filename. Instead, how about the following? It uses a > randomish garbage filename beginning with "-"=20 > which should be good enough, and it doesn't cost a conditional branch > to handle negative descriptors. > > char * > __fd_to_filename (int descriptor, struct fd_to_filename *storage) > { > char *p =3D mempcpy (storage->buffer, FD_TO_FILENAME_PREFIX, > strlen (FD_TO_FILENAME_PREFIX) - 1); > > /* If DESCRIPTOR is negative, arrange for the filename to not exist > by prepending any byte other than '/', '.', '\0' or an ASCII digit= . > The rest of the filename will be gibberish that fits. */ > *p =3D '-'; > p +=3D descriptor < 0; > > for (int d =3D descriptor; p++, (d /=3D 10) !=3D 0; ) > continue; > *p =3D '\0'; > for (int d =3D descriptor; *--p =3D '0' + d % 10, (d /=3D 10) !=3D 0;= ) > continue; > return storage->buffer; > } Here's an updated version, which adds a dependency on (a header I really dislike) and mostly uses your implementation of __fd_to_filename. Okay for master? Thanks, Florian 8<------------------------------------------------------------------8< The new type struct fd_to_filename makes the allocation of the backing storage explicit. Hurd uses /dev/fd, not /proc/self/fd. Co-Authored-By: Paul Eggert ----- libio/freopen.c | 4 +- libio/freopen64.c | 4 +- misc/Makefile | 6 +- misc/fd_to_filename.c | 38 ++++++++ misc/tst-fd_to_filename.c | 100 +++++++++++++++++= ++++ sysdeps/generic/arch-fd_to_filename.h | 19 ++++ sysdeps/generic/fd_to_filename.h | 26 ++++-- sysdeps/mach/hurd/arch-fd_to_filename.h | 19 ++++ .../{fd_to_filename.h =3D> arch-fd_to_filename.h} | 22 +---- 9 files changed, 205 insertions(+), 33 deletions(-) diff --git a/libio/freopen.c b/libio/freopen.c index bab3ba204a..884cdb2961 100644 --- a/libio/freopen.c +++ b/libio/freopen.c @@ -37,7 +37,7 @@ FILE * freopen (const char *filename, const char *mode, FILE *fp) { FILE *result =3D NULL; - char fdfilename[FD_TO_FILENAME_SIZE]; + struct fd_to_filename fdfilename; =20 CHECK_FILE (fp, NULL); =20 @@ -50,7 +50,7 @@ freopen (const char *filename, const char *mode, FILE *fp= ) =20 int fd =3D _IO_fileno (fp); const char *gfilename - =3D filename !=3D NULL ? filename : fd_to_filename (fd, fdfilename); + =3D filename !=3D NULL ? filename : __fd_to_filename (fd, &fdfilename)= ; =20 fp->_flags2 |=3D _IO_FLAGS2_NOCLOSE; #if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_1) diff --git a/libio/freopen64.c b/libio/freopen64.c index c0ce604e6e..0d2c5264c7 100644 --- a/libio/freopen64.c +++ b/libio/freopen64.c @@ -36,7 +36,7 @@ FILE * freopen64 (const char *filename, const char *mode, FILE *fp) { FILE *result =3D NULL; - char fdfilename[FD_TO_FILENAME_SIZE]; + struct fd_to_filename fdfilename; =20 CHECK_FILE (fp, NULL); =20 @@ -49,7 +49,7 @@ freopen64 (const char *filename, const char *mode, FILE *= fp) =20 int fd =3D _IO_fileno (fp); const char *gfilename - =3D filename !=3D NULL ? filename : fd_to_filename (fd, fdfilename); + =3D filename !=3D NULL ? filename : __fd_to_filename (fd, &fdfilename)= ; =20 fp->_flags2 |=3D _IO_FLAGS2_NOCLOSE; _IO_file_close_it (fp); diff --git a/misc/Makefile b/misc/Makefile index e0465980c7..b8fed5783d 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -72,7 +72,7 @@ routines :=3D brk sbrk sstk ioctl \ =09 fgetxattr flistxattr fremovexattr fsetxattr getxattr \ =09 listxattr lgetxattr llistxattr lremovexattr lsetxattr \ =09 removexattr setxattr getauxval ifunc-impl-list makedev \ -=09 allocate_once +=09 allocate_once fd_to_filename =20 generated +=3D tst-error1.mtrace tst-error1-mem.out \ tst-allocate_once.mtrace tst-allocate_once-mem.out @@ -97,6 +97,10 @@ endif tests-internal :=3D tst-atomic tst-atomic-long tst-allocate_once tests-static :=3D tst-empty =20 +# Test for the internal, non-exported __fd_to_filename function. +tests-internal +=3D tst-fd_to_filename +tests-static +=3D tst-fd_to_filename + ifeq ($(run-built-tests),yes) tests-special +=3D $(objpfx)tst-error1-mem.out \ $(objpfx)tst-allocate_once-mem.out diff --git a/misc/fd_to_filename.c b/misc/fd_to_filename.c new file mode 100644 index 0000000000..03d19194c1 --- /dev/null +++ b/misc/fd_to_filename.c @@ -0,0 +1,38 @@ +/* Construct a pathname under /proc/self/fd (or /dev/fd for Hurd). + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include + +#include +#include + +char * +__fd_to_filename (int descriptor, struct fd_to_filename *storage) +{ + assert (descriptor >=3D 0); + + char *p =3D mempcpy (storage->buffer, FD_TO_FILENAME_PREFIX, + strlen (FD_TO_FILENAME_PREFIX)); + + for (int d =3D descriptor; p++, (d /=3D 10) !=3D 0; ) + continue; + *p =3D '\0'; + for (int d =3D descriptor; *--p =3D '0' + d % 10, (d /=3D 10) !=3D 0; ) + continue; + return storage->buffer; +} diff --git a/misc/tst-fd_to_filename.c b/misc/tst-fd_to_filename.c new file mode 100644 index 0000000000..3a3bccdbcf --- /dev/null +++ b/misc/tst-fd_to_filename.c @@ -0,0 +1,100 @@ +/* Test for /proc/self/fd (or /dev/fd) pathname construction. + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +/* Run a check on one value. */ +static void +check (int value) +{ + if (value < 0) + /* Negative descriptor values violate the precondition. */ + return; + + struct fd_to_filename storage; + char *actual =3D __fd_to_filename (value, &storage); + char expected[100]; + snprintf (expected, sizeof (expected), FD_TO_FILENAME_PREFIX "%d", value= ); + TEST_COMPARE_STRING (actual, expected); +} + +/* Check various ranges constructed around powers. */ +static void +check_ranges (int base) +{ + unsigned int power =3D 1; + do + { + for (int factor =3D 1; factor < base; ++factor) + for (int shift =3D -1000; shift <=3D 1000; ++shift) + check (factor * power + shift); + } + while (!__builtin_mul_overflow (power, base, &power)); +} + +/* Check that it is actually possible to use a the constructed + name. */ +static void +check_open (void) +{ + int pipes[2]; + xpipe (pipes); + + struct fd_to_filename storage; + int read_alias =3D xopen (__fd_to_filename (pipes[0], &storage), O_RDONL= Y, 0); + int write_alias =3D xopen (__fd_to_filename (pipes[1], &storage), O_WRON= LY, 0); + + /* Ensure that all the descriptor numbers are different. */ + TEST_VERIFY (pipes[0] < pipes[1]); + TEST_VERIFY (pipes[1] < read_alias); + TEST_VERIFY (read_alias < write_alias); + + xwrite (write_alias, "1", 1); + char buf[16]; + TEST_COMPARE_BLOB ("1", 1, buf, read (pipes[0], buf, sizeof (buf))); + + xwrite (pipes[1], "2", 1); + TEST_COMPARE_BLOB ("2", 1, buf, read (read_alias, buf, sizeof (buf))); + + xwrite (write_alias, "3", 1); + TEST_COMPARE_BLOB ("3", 1, buf, read (read_alias, buf, sizeof (buf))); + + xwrite (pipes[1], "4", 1); + TEST_COMPARE_BLOB ("4", 1, buf, read (pipes[0], buf, sizeof (buf))); + + xclose (write_alias); + xclose (read_alias); + xclose (pipes[1]); + xclose (pipes[0]); +} + +static int +do_test (void) +{ + check_ranges (2); + check_ranges (10); + + check_open (); + + return 0; +} + +#include diff --git a/sysdeps/generic/arch-fd_to_filename.h b/sysdeps/generic/arch-f= d_to_filename.h new file mode 100644 index 0000000000..ecaaa14dba --- /dev/null +++ b/sysdeps/generic/arch-fd_to_filename.h @@ -0,0 +1,19 @@ +/* Query filename corresponding to an open FD. Generic stub. + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#error " must be ported to this architecture" diff --git a/sysdeps/generic/fd_to_filename.h b/sysdeps/generic/fd_to_filen= ame.h index eff6ca211b..5ca22f02bc 100644 --- a/sysdeps/generic/fd_to_filename.h +++ b/sysdeps/generic/fd_to_filename.h @@ -1,4 +1,4 @@ -/* Query filename corresponding to an open FD. Generic version. +/* Query filename corresponding to an open FD. Copyright (C) 2001-2020 Free Software Foundation, Inc. This file is part of the GNU C Library. =20 @@ -16,12 +16,22 @@ License along with the GNU C Library; if not, see . */ =20 -#define FD_TO_FILENAME_SIZE 0 +#ifndef _FD_TO_FILENAME_H +#define _FD_TO_FILENAME_H =20 -/* In general there is no generic way to query filename for an open - file descriptor. */ -static inline const char * -fd_to_filename (int fd, char *buf) +#include +#include + +struct fd_to_filename { - return NULL; -} + /* A positive int value has at most 10 decimal digits. */ + char buffer[sizeof (FD_TO_FILENAME_PREFIX) + INT_STRLEN_BOUND (int)]; +}; + +/* Writes a /proc/self/fd-style path for DESCRIPTOR to *STORAGE and + returns a pointer to the start of the string. DESCRIPTOR must be + non-negative. */ +char *__fd_to_filename (int descriptor, struct fd_to_filename *storage) + attribute_hidden; + +#endif /* _FD_TO_FILENAME_H */ diff --git a/sysdeps/mach/hurd/arch-fd_to_filename.h b/sysdeps/mach/hurd/ar= ch-fd_to_filename.h new file mode 100644 index 0000000000..b45cd8d836 --- /dev/null +++ b/sysdeps/mach/hurd/arch-fd_to_filename.h @@ -0,0 +1,19 @@ +/* Query filename corresponding to an open FD. Hurd version. + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#define FD_TO_FILENAME_PREFIX "/dev/fd/" diff --git a/sysdeps/unix/sysv/linux/fd_to_filename.h b/sysdeps/unix/sysv/l= inux/arch-fd_to_filename.h similarity index 58% rename from sysdeps/unix/sysv/linux/fd_to_filename.h rename to sysdeps/unix/sysv/linux/arch-fd_to_filename.h index 92a5e02976..b6017214c7 100644 --- a/sysdeps/unix/sysv/linux/fd_to_filename.h +++ b/sysdeps/unix/sysv/linux/arch-fd_to_filename.h @@ -1,5 +1,5 @@ /* Query filename corresponding to an open FD. Linux version. - Copyright (C) 2001-2020 Free Software Foundation, Inc. + Copyright (C) 2020 Free Software Foundation, Inc. This file is part of the GNU C Library. =20 The GNU C Library is free software; you can redistribute it and/or @@ -16,22 +16,4 @@ License along with the GNU C Library; if not, see . */ =20 -#include -#include -#include <_itoa.h> - -#define FD_TO_FILENAME_SIZE ((sizeof ("/proc/self/fd/") - 1) \ -=09=09=09 + (sizeof ("4294967295") - 1) + 1) - -static inline const char * -fd_to_filename (unsigned int fd, char *buf) -{ - *_fitoa_word (fd, __stpcpy (buf, "/proc/self/fd/"), 10, 0) =3D '\0'; - - /* We must make sure the file exists. */ - struct stat64 st; - if (__lxstat64 (_STAT_VER, buf, &st) < 0) - /* /proc is not mounted or something else happened. */ - return NULL; - return buf; -} +#define FD_TO_FILENAME_PREFIX "/proc/self/fd/"