From: Matthew Fernandez <matthew.fernandez@nicta.com.au>
To: <musl@lists.openwall.com>
Cc: Rich Felker <dalias@aerifal.cx>
Subject: Re: Use of size_t and ssize_t in mseek
Date: Fri, 28 Jun 2013 10:49:41 +1000 [thread overview]
Message-ID: <51CCDDA5.5050503@nicta.com.au> (raw)
In-Reply-To: <20130627153429.GZ29800@brightrain.aerifal.cx>
On 28/06/13 01:34, Rich Felker wrote:
> On Thu, Jun 27, 2013 at 02:31:48PM +1000, Matthew Fernandez wrote:
>> On 27/06/13 14:23, Rich Felker wrote:
>>> On Thu, Jun 27, 2013 at 02:16:15PM +1000, Matthew Fernandez wrote:
>>>> Perfectly reasonable to make it UB (and I had assumed it was so
>>>> already).
>>>
>>> Well the UB is just passing a wrong size. But the only way you can
>>> guarantee that such a huge size is "wrong" is by cutting off all ways
>>> of making such a large object.
>>
>> In some sense this is true, but this would not have affected my
>> scenario. I do not know the size of the object to which I have a pointer
>> to and the object was not derived from Musl C functionality. As a bit of
>> context, this is an embedded environment where we don't have much
>> address space introspection. I suppose you could argue that I should
>> have re-implemented fmemopen in a way that didn't assume a bounded buffer.
>
> Thanks for providing the added context. It helps to understand the
> situation a lot better. Am I correct in assuming that you're using
> musl not on Linux, but ported to an underlying embedded environment,
> possibly without a kernel? The reason I ask is that I don't see how
> Linux would give you such an object without you requesting it via a
> syscall of some sort.
Yes, Rich, you're correct. I'm using Musl in userspace on the seL4
microkernel [0]. I'm getting this object from a bootstrapping process
that inserts it into my address space. The object is not actually
SIZE_MAX-sized, but I don't have accurate bounds for it at the time I
call fmemopen.
[0]: http://www.ertos.nicta.com.au/research/sel4/
> Anyway, if I'm understanding your usage case correctly, I think we
> should eventually provide documentation (perhaps in the porting
> section of the future manual) about using musl like this. And either
> we should document that it's undefined behavior to pass sizes larger
> than PTRDIFF_MAX/SSIZE_MAX to functions in musl, or we should make an
> effort to find all the functions affected by this issue and make them
> either reject such large sizes, or work safely with them.
>
> As a user of musl, what's your take on this?
A check in fmemopen (and other affected functions) would be my preferred
solution, as an unwitting user like myself who doesn't check all the
assumptions would still be caught out by just documenting it as
undefined. I would be happy with just an assert-fail here if that's easiest.
>> Yes, I agree with this reasoning. It seems fmemopen should really take a
>> ssize_t, but this would require deviating from the standard which is
>> undesirable.
>
> There are a lot of functions (read, write, ...) that "should" take
> ssize_t, in some sense of "should", but that wouldn't really fix the
> problem either, since large values would just get converted to
> negative values when passed to the functions.
True, but I would at least get a compiler warning. Anyway, I agree that
changing the function signature is not appropriate.
________________________________
The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments.
next prev parent reply other threads:[~2013-06-28 0:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-27 3:52 Matthew Fernandez
2013-06-27 4:10 ` Rich Felker
2013-06-27 4:16 ` Matthew Fernandez
2013-06-27 4:23 ` Rich Felker
2013-06-27 4:31 ` Matthew Fernandez
2013-06-27 15:34 ` Rich Felker
2013-06-28 0:49 ` Matthew Fernandez [this message]
2013-06-28 1:22 ` Rich Felker
2013-06-28 1:34 ` Matthew Fernandez
2013-06-28 1:48 ` Rich Felker
2013-06-28 1:56 ` Matthew Fernandez
2013-06-29 4:13 ` Rich Felker
2013-06-29 13:38 ` Matthew Fernandez
2013-06-29 14:17 ` Rich Felker
2013-06-29 14:56 ` Jens Gustedt
2013-06-29 15:48 ` Rich Felker
2013-06-29 16:01 ` Jens Gustedt
2013-06-29 16:13 ` Rich Felker
2013-06-29 16:39 ` Jens Gustedt
2013-07-04 1:28 ` Rich Felker
2013-07-04 6:11 ` Jens Gustedt
2013-07-04 6:37 ` Rich Felker
2013-07-04 7:11 ` Jens Gustedt
2013-07-04 8:12 ` Rich Felker
2013-07-04 8:45 ` Jens Gustedt
2013-07-04 15:24 ` Rich Felker
2013-07-04 11:10 ` Szabolcs Nagy
2013-07-04 11:58 ` Jens Gustedt
2013-07-04 15:26 ` Rich Felker
2013-06-27 10:35 ` Szabolcs Nagy
2013-06-27 15:05 ` Rich Felker
2013-06-27 16:47 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51CCDDA5.5050503@nicta.com.au \
--to=matthew.fernandez@nicta.com.au \
--cc=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).