Re: splice vs O_APPEND

From: Miklos Szeredi
Date: Thu Oct 09 2008 - 15:52:11 EST

Next message: Thomas Gleixner: "Re: [PATCH] Re: x86_32 tsc/pit and hrtimers"
Previous message: Andrew Morton: "Re: Building a tracing userspace tool in the kernel tree"
In reply to: Linus Torvalds: "Re: splice vs O_APPEND"
Next in thread: Linus Torvalds: "Re: splice vs O_APPEND"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Oct 2008, Linus Torvalds wrote:
> Of course, I think POSIX is crazy, and we probably _should_ always honor
> O_APPEND, and returning -EINVAL is the right thing for both pwrite and
> splice, but this is all a murkier issue than it looked like originally,
> and any possible "security" implications are dubious in that you cannot
> really depend on O_APPEND/IS_APPEND anyway.

The thing is, the append-only attribute is absolutely useless without
being able to depend on it. So in that sense I think the IS_APPEND
issue is important, and I'm fine with your original proposal for that
(except we don't need the IS_IMMUTABLE check).

I also agree that the O_APPEND issue is murky and should probably be
discussed separately.

Thanks,
Miklos
----

Subject: splice: disallow random writes for append-only inodes

From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>

It was possible to write to a random location in an append-only file
using splice.

Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx>
---
fs/splice.c | 5 +++++
1 file changed, 5 insertions(+)

Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c 2008-10-09 21:46:07.000000000 +0200
+++ linux-2.6/fs/splice.c 2008-10-09 21:47:42.000000000 +0200
@@ -891,6 +891,7 @@ static long do_splice_from(struct pipe_i
loff_t *ppos, size_t len, unsigned int flags)
{
int ret;
+ struct inode *inode;

if (unlikely(!out->f_op || !out->f_op->splice_write))
return -EINVAL;
@@ -898,6 +899,10 @@ static long do_splice_from(struct pipe_i
if (unlikely(!(out->f_mode & FMODE_WRITE)))
return -EBADF;

+ inode = out->f_dentry->d_inode;
+ if (IS_APPEND(inode))
+ return -EINVAL;
+
ret = rw_verify_area(WRITE, out, ppos, len);
if (unlikely(ret < 0))
return ret;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "Re: [PATCH] Re: x86_32 tsc/pit and hrtimers"
Previous message: Andrew Morton: "Re: Building a tracing userspace tool in the kernel tree"
In reply to: Linus Torvalds: "Re: splice vs O_APPEND"
Next in thread: Linus Torvalds: "Re: splice vs O_APPEND"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]