Ensure io requests are always capped at 0x7ffff000

This gives us the Linux behavior across platforms. Fixes #1189
2025-06-28 15:28:30 +00:00 · 2024-05-26 16:53:13 -07:00 · 2024-05-26 16:53:13 -07:00 · af3f62a71a
commit af3f62a71a
parent 6cf9b9e0fc
10 changed files with 268 additions and 81 deletions
--- a/libc/calls/pwritev.c
+++ b/libc/calls/pwritev.c
@ -28,28 +28,57 @@
 #include "libc/intrin/likely.h"
 #include "libc/intrin/strace.internal.h"
 #include "libc/intrin/weaken.h"
+#include "libc/limits.h"
+#include "libc/mem/alloca.h"
+#include "libc/runtime/stack.h"
+#include "libc/stdckdint.h"
 #include "libc/sysv/errfuns.h"

+static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
+  size_t count = 0;
+  for (int i = 0; i < iovlen; ++i)
+    if (ckd_add(&count, count, iov[i].iov_len))
+      count = SIZE_MAX;
+  return count;
+}
+
 static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
                       int64_t off) {
  int i, e;
  size_t sent;
  ssize_t rc, toto;

-  if (fd < 0) {
+  if (fd < 0)
    return ebadf();
-  }
-
-  if (iovlen < 0) {
+  if (iovlen < 0)
    return einval();
-  }
-
-  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
+  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
    return efault();
-  }
-
-  if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
+  if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip)
    return ebadf();
+
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  if (!IsLinux()) {
+    size_t sum, remain = 0x7ffff000;
+    if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
+      struct iovec *iov2;
+#pragma GCC push_options
+#pragma GCC diagnostic ignored "-Walloca-larger-than="
+      iov2 = alloca(iovlen * sizeof(struct iovec));
+      CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
+#pragma GCC pop_options
+      for (int i = 0; i < iovlen; ++i) {
+        iov2[i] = iov[i];
+        if (remain >= iov2[i].iov_len) {
+          remain -= iov2[i].iov_len;
+        } else {
+          iov2[i].iov_len = remain;
+          remain = 0;
+        }
+      }
+      iov = iov2;
+    }
  }

  if (IsWindows()) {
@ -116,6 +145,11 @@ static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
 * been committed. It can also happen if we need to polyfill this system
 * call using pwrite().
 *
+ * It's possible for file write request to be partially completed. For
+ * example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
+ * beyond that will be ignored. This is a Linux behavior that Cosmo
+ * polyfills across platforms.
+ *
 * @return number of bytes actually sent, or -1 w/ errno
 * @cancelationpoint
 * @asyncsignalsafe