mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-02-25 07:19:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Ensure io requests are always capped at 0x7ffff000

Browse source 
This gives us the Linux behavior across platforms.

Fixes #1189
This commit is contained in:
Justine Tunney 2024-05-26 16:53:13 -07:00
parent 6cf9b9e0fc
commit af3f62a71a
No known key found for this signature in database
GPG key ID: BE714B4575D6E328
10 changed files with 268 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -133,7 +133,7 @@ endif
ifneq ($(findstring aarch64,$(MODE)),)
ARCH = aarch64
HOSTS ?= pi pi5 studio freebsdarm
HOSTS ?= pi studio freebsdarm
else
ARCH = x86_64
HOSTS ?= freebsd rhel7 xnu openbsd netbsd win10

7
libc/calls/pread.c
View file

@ -30,6 +30,7 @@
#include "libc/macros.internal.h"
#include "libc/runtime/runtime.h"
#include "libc/runtime/zipos.internal.h"
#include "libc/stdio/sysparam.h"
#include "libc/sysv/errfuns.h"
/**
@ -39,7 +40,7 @@
*
* @param fd is something open()'d earlier, noting pipes might not work
* @param buf is copied into, cf. copy_file_range(), sendfile(), etc.
* @param size in range [1..0x7ffff000] is reasonable
* @param size is always saturated to 0x7ffff000 automatically
* @param offset is bytes from start of file at which read begins
* @return [1..size] bytes on success, 0 on EOF, or -1 w/ errno; with
* exception of size==0, in which case return zero means no error
@ -58,6 +59,10 @@ ssize_t pread(int fd, void *buf, size_t size, int64_t offset) {
ssize_t rc;
BEGIN_CANCELATION_POINT;
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
size = MIN(size, 0x7ffff000);
if (offset < 0) {
rc = einval();
} else if (fd < 0) {

50
libc/calls/preadv.c
View file

@ -28,24 +28,55 @@
#include "libc/intrin/likely.h"
#include "libc/intrin/strace.internal.h"
#include "libc/intrin/weaken.h"
#include "libc/limits.h"
#include "libc/mem/alloca.h"
#include "libc/runtime/stack.h"
#include "libc/runtime/zipos.internal.h"
#include "libc/stdckdint.h"
#include "libc/sysv/errfuns.h"
static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
size_t count = 0;
for (int i = 0; i < iovlen; ++i)
if (ckd_add(&count, count, iov[i].iov_len))
count = SIZE_MAX;
return count;
}
static ssize_t Preadv(int fd, struct iovec *iov, int iovlen, int64_t off) {
int e, i;
size_t got;
ssize_t rc, toto;
if (fd < 0) {
if (fd < 0)
return ebadf();
}
if (iovlen < 0) {
if (iovlen < 0)
return einval();
}
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
return efault();
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
if (!IsLinux()) {
size_t sum, remain = 0x7ffff000;
if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
struct iovec *iov2;
#pragma GCC push_options
#pragma GCC diagnostic ignored "-Walloca-larger-than="
iov2 = alloca(iovlen * sizeof(struct iovec));
CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
#pragma GCC pop_options
for (int i = 0; i < iovlen; ++i) {
iov2[i] = iov[i];
if (remain >= iov2[i].iov_len) {
remain -= iov2[i].iov_len;
} else {
iov2[i].iov_len = remain;
remain = 0;
}
}
iov = iov2;
}
}
if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
@ -112,6 +143,11 @@ static ssize_t Preadv(int fd, struct iovec *iov, int iovlen, int64_t off) {
/**
* Reads with maximum generality.
*
* It's possible for file write request to be partially completed. For
* example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
* beyond that will be ignored. This is a Linux behavior that Cosmo
* polyfills across platforms.
*
* @return number of bytes actually read, or -1 w/ errno
* @cancelationpoint
* @asyncsignalsafe

7
libc/calls/pwrite.c
View file

@ -28,6 +28,7 @@
#include "libc/intrin/asan.internal.h"
#include "libc/intrin/strace.internal.h"
#include "libc/macros.internal.h"
#include "libc/stdio/sysparam.h"
#include "libc/sysv/errfuns.h"
/**
@ -37,7 +38,7 @@
*
* @param fd is something open()'d earlier, noting pipes might not work
* @param buf is copied from, cf. copy_file_range(), sendfile(), etc.
* @param size in range [1..0x7ffff000] is reasonable
* @param size is always saturated to 0x7ffff000 automatically
* @param offset is bytes from start of file at which write begins,
* which can exceed or overlap the end of file, in which case your
* file will be extended
@ -53,6 +54,10 @@ ssize_t pwrite(int fd, const void *buf, size_t size, int64_t offset) {
size_t wrote;
BEGIN_CANCELATION_POINT;
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
size = MIN(size, 0x7ffff000);
if (offset < 0) {
rc = einval();
} else if (fd == -1) {

54
libc/calls/pwritev.c
View file

@ -28,28 +28,57 @@
#include "libc/intrin/likely.h"
#include "libc/intrin/strace.internal.h"
#include "libc/intrin/weaken.h"
#include "libc/limits.h"
#include "libc/mem/alloca.h"
#include "libc/runtime/stack.h"
#include "libc/stdckdint.h"
#include "libc/sysv/errfuns.h"
static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
size_t count = 0;
for (int i = 0; i < iovlen; ++i)
if (ckd_add(&count, count, iov[i].iov_len))
count = SIZE_MAX;
return count;
}
static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
int64_t off) {
int i, e;
size_t sent;
ssize_t rc, toto;
if (fd < 0) {
if (fd < 0)
return ebadf();
}
if (iovlen < 0) {
if (iovlen < 0)
return einval();
}
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
return efault();
}
if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip)
return ebadf();
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
if (!IsLinux()) {
size_t sum, remain = 0x7ffff000;
if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
struct iovec *iov2;
#pragma GCC push_options
#pragma GCC diagnostic ignored "-Walloca-larger-than="
iov2 = alloca(iovlen * sizeof(struct iovec));
CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
#pragma GCC pop_options
for (int i = 0; i < iovlen; ++i) {
iov2[i] = iov[i];
if (remain >= iov2[i].iov_len) {
remain -= iov2[i].iov_len;
} else {
iov2[i].iov_len = remain;
remain = 0;
}
}
iov = iov2;
}
}
if (IsWindows()) {
@ -116,6 +145,11 @@ static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
* been committed. It can also happen if we need to polyfill this system
* call using pwrite().
*
* It's possible for file write request to be partially completed. For
* example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
* beyond that will be ignored. This is a Linux behavior that Cosmo
* polyfills across platforms.
*
* @return number of bytes actually sent, or -1 w/ errno
* @cancelationpoint
* @asyncsignalsafe

7
libc/calls/read.c
View file

@ -29,6 +29,7 @@
#include "libc/runtime/zipos.internal.h"
#include "libc/sock/internal.h"
#include "libc/sock/sock.h"
#include "libc/stdio/sysparam.h"
#include "libc/sysv/errfuns.h"
/**
@ -41,7 +42,7 @@
*
* @param fd is something open()'d earlier
* @param buf is copied into, cf. copy_file_range(), sendfile(), etc.
* @param size in range [1..0x7ffff000] is reasonable
* @param size is always saturated to 0x7ffff000 automatically
* @return [1..size] bytes on success, 0 on EOF, or -1 w/ errno; with
* exception of size==0, in which case return zero means no error
* @raise EBADF if `fd` is negative or not an open file descriptor
@ -67,6 +68,10 @@ ssize_t read(int fd, void *buf, size_t size) {
ssize_t rc;
BEGIN_CANCELATION_POINT;
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
size = MIN(size, 0x7ffff000);
if (fd < 0) {
rc = ebadf();
} else if ((!buf && size) || (IsAsan() && !__asan_is_valid(buf, size))) {

96
libc/calls/readv.c
View file

@ -28,10 +28,74 @@
#include "libc/intrin/likely.h"
#include "libc/intrin/strace.internal.h"
#include "libc/intrin/weaken.h"
#include "libc/limits.h"
#include "libc/mem/alloca.h"
#include "libc/runtime/stack.h"
#include "libc/runtime/zipos.internal.h"
#include "libc/sock/internal.h"
#include "libc/stdckdint.h"
#include "libc/sysv/errfuns.h"
static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
size_t count = 0;
for (int i = 0; i < iovlen; ++i)
if (ckd_add(&count, count, iov[i].iov_len))
count = SIZE_MAX;
return count;
}
static ssize_t readv_impl(int fd, const struct iovec *iov, int iovlen) {
if (fd < 0)
return ebadf();
if (iovlen < 0)
return einval();
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
return efault();
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
if (!IsLinux()) {
size_t sum, remain = 0x7ffff000;
if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
struct iovec *iov2;
#pragma GCC push_options
#pragma GCC diagnostic ignored "-Walloca-larger-than="
iov2 = alloca(iovlen * sizeof(struct iovec));
CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
#pragma GCC pop_options
for (int i = 0; i < iovlen; ++i) {
iov2[i] = iov[i];
if (remain >= iov2[i].iov_len) {
remain -= iov2[i].iov_len;
} else {
iov2[i].iov_len = remain;
remain = 0;
}
}
iov = iov2;
}
}
if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
return _weaken(__zipos_read)(
(struct ZiposHandle *)(intptr_t)g_fds.p[fd].handle, iov, iovlen, -1);
} else if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
if (iovlen == 1) {
return sys_read(fd, iov[0].iov_base, iov[0].iov_len);
} else {
return sys_readv(fd, iov, iovlen);
}
} else if (fd >= g_fds.n) {
return ebadf();
} else if (IsMetal()) {
return sys_readv_metal(fd, iov, iovlen);
} else if (IsWindows()) {
return sys_readv_nt(fd, iov, iovlen);
} else {
return enosys();
}
}
/**
* Reads data to multiple buffers.
*
@ -42,6 +106,11 @@
* be passed to the kernel as read() instead. This yields a 100 cycle
* performance boost in the case of a single small iovec.
*
* It's possible for file write request to be partially completed. For
* example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
* beyond that will be ignored. This is a Linux behavior that Cosmo
* polyfills across platforms.
*
* @return number of bytes actually read, or -1 w/ errno
* @cancelationpoint
* @restartable
@ -49,32 +118,7 @@
ssize_t readv(int fd, const struct iovec *iov, int iovlen) {
ssize_t rc;
BEGIN_CANCELATION_POINT;
if (fd < 0) {
rc = ebadf();
} else if (iovlen < 0) {
rc = einval();
} else if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
rc = efault();
} else if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
rc = _weaken(__zipos_read)(
(struct ZiposHandle *)(intptr_t)g_fds.p[fd].handle, iov, iovlen, -1);
} else if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
if (iovlen == 1) {
rc = sys_read(fd, iov[0].iov_base, iov[0].iov_len);
} else {
rc = sys_readv(fd, iov, iovlen);
}
} else if (fd >= g_fds.n) {
rc = ebadf();
} else if (IsMetal()) {
rc = sys_readv_metal(fd, iov, iovlen);
} else if (IsWindows()) {
rc = sys_readv_nt(fd, iov, iovlen);
} else {
rc = enosys();
}
rc = readv_impl(fd, iov, iovlen);
END_CANCELATION_POINT;
STRACE("readv(%d, [%s], %d) → %'ld% m", fd, DescribeIovec(rc, iov, iovlen),
iovlen, rc);

6
libc/calls/write.c
View file

@ -27,6 +27,7 @@
#include "libc/intrin/weaken.h"
#include "libc/runtime/zipos.internal.h"
#include "libc/sock/sock.h"
#include "libc/stdio/sysparam.h"
#include "libc/sysv/errfuns.h"
/**
@ -39,6 +40,7 @@
*
* @param fd is open file descriptor
* @param buf is copied from, cf. copy_file_range(), sendfile(), etc.
* @param size is always saturated to 0x7ffff000 automatically
* @return [1..size] bytes on success, or -1 w/ errno; noting zero is
* impossible unless size was passed as zero to do an error check
* @raise EBADF if `fd` is negative or not an open file descriptor
@ -68,6 +70,10 @@ ssize_t write(int fd, const void *buf, size_t size) {
ssize_t rc;
BEGIN_CANCELATION_POINT;
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
size = MIN(size, 0x7ffff000);
if (fd < 0) {
rc = ebadf();
} else if (IsAsan() && !__asan_is_valid(buf, size)) {

94
libc/calls/writev.c
View file

@ -27,8 +27,71 @@
#include "libc/intrin/likely.h"
#include "libc/intrin/strace.internal.h"
#include "libc/intrin/weaken.h"
#include "libc/limits.h"
#include "libc/runtime/stack.h"
#include "libc/sock/internal.h"
#include "libc/stdckdint.h"
#include "libc/sysv/errfuns.h"
#include "libc/vga/vga.internal.h"
static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
size_t count = 0;
for (int i = 0; i < iovlen; ++i)
if (ckd_add(&count, count, iov[i].iov_len))
count = SIZE_MAX;
return count;
}
static ssize_t writev_impl(int fd, const struct iovec *iov, int iovlen) {
if (fd < 0)
return ebadf();
if (iovlen < 0)
return einval();
if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
return efault();
if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip)
return ebadf(); // posix specifies this when not open()'d for writing
// XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
// this is inconsistent with Linux which ignores huge requests
if (!IsLinux()) {
size_t sum, remain = 0x7ffff000;
if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
struct iovec *iov2;
#pragma GCC push_options
#pragma GCC diagnostic ignored "-Walloca-larger-than="
iov2 = alloca(iovlen * sizeof(struct iovec));
CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
#pragma GCC pop_options
for (int i = 0; i < iovlen; ++i) {
iov2[i] = iov[i];
if (remain >= iov2[i].iov_len) {
remain -= iov2[i].iov_len;
} else {
iov2[i].iov_len = remain;
remain = 0;
}
}
iov = iov2;
}
}
if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
if (iovlen == 1) {
return sys_write(fd, iov[0].iov_base, iov[0].iov_len);
} else {
return sys_writev(fd, iov, iovlen);
}
} else if (fd >= g_fds.n) {
return ebadf();
} else if (IsMetal()) {
return sys_writev_metal(g_fds.p + fd, iov, iovlen);
} else if (IsWindows()) {
return sys_writev_nt(fd, iov, iovlen);
} else {
return enosys();
}
}
/**
* Writes data from multiple buffers.
@ -45,6 +108,11 @@
* been committed. It can also happen if we need to polyfill this system
* call using write().
*
* It's possible for file write request to be partially completed. For
* example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
* beyond that will be ignored. This is a Linux behavior that Cosmo
* polyfills across platforms.
*
* @return number of bytes actually handed off, or -1 w/ errno
* @cancelationpoint
* @restartable
@ -52,31 +120,7 @@
ssize_t writev(int fd, const struct iovec *iov, int iovlen) {
ssize_t rc;
BEGIN_CANCELATION_POINT;
if (fd < 0) {
rc = ebadf();
} else if (iovlen < 0) {
rc = einval();
} else if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
rc = efault();
} else if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
rc = ebadf(); // posix specifies this when not open()'d for writing
} else if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
if (iovlen == 1) {
rc = sys_write(fd, iov[0].iov_base, iov[0].iov_len);
} else {
rc = sys_writev(fd, iov, iovlen);
}
} else if (fd >= g_fds.n) {
rc = ebadf();
} else if (IsMetal()) {
rc = sys_writev_metal(g_fds.p + fd, iov, iovlen);
} else if (IsWindows()) {
rc = sys_writev_nt(fd, iov, iovlen);
} else {
rc = enosys();
}
rc = writev_impl(fd, iov, iovlen);
END_CANCELATION_POINT;
STRACE("writev(%d, %s, %d) → %'ld% m", fd,
DescribeIovec(rc != -1 ? rc : -2, iov, iovlen), iovlen, rc);

26
test/posix/fread3gb_test.c
View file

@ -30,10 +30,14 @@ int setup(void) {
return 2;
if (pwrite(fd, "a", 1, 0) != 1)
return 3;
if (pwrite(fd, "z", 1, SIZE - 1) != 1)
if (pwrite(fd, "b", 1, 0x7fffefff) != 1)
return 4;
if (close(fd))
if (pwrite(fd, "c", 1, 0x7ffff000) != 1)
return 5;
if (pwrite(fd, "z", 1, SIZE - 1) != 1)
return 6;
if (close(fd))
return 7;
return 0;
}
@ -42,17 +46,21 @@ int test(void) {
char *buf;
size_t rc;
if (!(f = fopen(path, "r")))
return 6;
if (!(buf = malloc(SIZE)))
return 7;
if ((rc = fread(buf, SIZE, 1, f)) != 1)
return 8;
if (buf[0] != 'a')
if (!(buf = malloc(SIZE)))
return 9;
if (buf[SIZE - 1] != 'z')
if ((rc = fread(buf, SIZE, 1, f)) != 1)
return 10;
if (fclose(f))
if (buf[0] != 'a')
return 11;
if (buf[0x7fffefff] != 'b')
return 12;
if (buf[0x7ffff000] != 'c')
return 13;
if (buf[SIZE - 1] != 'z')
return 14;
if (fclose(f))
return 15;
return 0;
}