[PATCH] Limit sendfile() to 2^31-PAGE_CACHE_SIZE bytes without error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



sendfile() has a limit of 2^31-1 bytes even on 64-bit platforms. Linus wants to maintain it in order to avoid potential future security bugs (always a good thing.)

This patch changes the behaviour from returning EINVAL when this limit is exceeded to returning a short count. This means that a properly-written userspace program will simply loop around and continue; it will expose bugs in improperly-written userspace programs, which is also a good thing. Additionally, the limit becomes an issue that is completely contained within the kernel, and not encoded in the kernel ABI, so it can be changed in the future.

(I set the limit to 2^31-PAGE_CACHE_SIZE so that a transfer that starts at the beginning of the file will continue to be page-aligned.)

The

Signed-off-by: H. Peter Anvin <[email protected]>
diff --git a/fs/read_write.c b/fs/read_write.c
index a091ee4..3712886 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -9,6 +9,7 @@
 #include <linux/fcntl.h>
 #include <linux/file.h>
 #include <linux/uio.h>
+#include <linux/pagemap.h>
 #include <linux/smp_lock.h>
 #include <linux/fsnotify.h>
 #include <linux/security.h>
@@ -631,6 +632,9 @@ static ssize_t do_sendfile(int out_fd, i
 	ssize_t retval;
 	int fput_needed_in, fput_needed_out;
 
+	/* Avoid potential security holes.  User space will get a short count and should loop. */
+	count = min(count, (size_t)0x80000000-PAGE_CACHE_SIZE);
+
 	/*
 	 * Get input file, and verify that it is ok..
 	 */

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux