Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp624357ybl; Fri, 24 Jan 2020 06:38:19 -0800 (PST) X-Google-Smtp-Source: APXvYqz8N/HCJFXR686XQUYouZqCOUD7CMRhMocvBaQuWKdB3ImMinZkfkPHuiLJWySdooz4YVs8 X-Received: by 2002:a9d:7548:: with SMTP id b8mr1906590otl.74.1579876699711; Fri, 24 Jan 2020 06:38:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579876699; cv=none; d=google.com; s=arc-20160816; b=KsaIzUB7EhBmcCT0P7sxm4kCR8kxWo0GEqlV9E9m7Zrh4qieWFeT3pKRhOyNU6LpPm EtS0H9Ar2LP7y+NDN7aEj9RNgoCZYV/OvG2iCM5h5fCc0krcYbZCDFbJ0qJBDVJ5U273 fKDvurbzAUexgCpazhzwzfundZyZvnkVGAHiZOGDi3GuWd1PXMSTBqTy2BiK8WVsBo7H 7FzWnQRtlDrONPd/D0LiIup2NtNu8f/Cc3Qzbd6QO4Gq74Q5lfrB/GnzpOiw2J9xnHU0 30PdceiEOovcghU3V8BrGRdzklgEdv5W+cNnmDQKB2vjdxZvZUqF/D1LOlsJNDQZsNb6 O4jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=h/lqmti6H9yannLO+kGMd8SJvMbBfEjguf8sOoTZBMw=; b=G2VMmmCqZBHgIKXgXDlWD5omR5lXmpvo3uIawzWwzMIeTeL7VTfRNBjpUbizvhBtEk ng4raqEGoyl/YgpdCpTg0bMyQxHrYVmObWvAcb7kYcU1q1WTCzx+lFPZFggeyiXO8ZAj EUNn0qezIQb8LNTcno8IPJQtuUcEhQhvdIXD+IHE4wBwiguyzE9HIyHiQZJmjPNtkwB6 Re/8Wq02Wyu5j+0+fMpw3mGLp1EN+09ylh6zoq1/LwWjhFSiEbb6Ji1C/Z+hEaByLQd9 HHhC3MGU7yS9cSdHE8SIuFyKpJYTVTg/U6lteq4ulzNpoynsa+WkCLr8HnBr0br29zVC NnRw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=libc.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18si2919965otk.206.2020.01.24.06.38.07; Fri, 24 Jan 2020 06:38:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=libc.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389316AbgAXOHZ (ORCPT + 99 others); Fri, 24 Jan 2020 09:07:25 -0500 Received: from 216-12-86-13.cv.mvl.ntelos.net ([216.12.86.13]:52890 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387412AbgAXOHY (ORCPT ); Fri, 24 Jan 2020 09:07:24 -0500 Received: from dalias by brightrain.aerifal.cx with local (Exim 3.15 #2) id 1iuzcH-0001sV-00; Fri, 24 Jan 2020 14:07:21 +0000 Date: Fri, 24 Jan 2020 09:07:21 -0500 From: Rich Felker To: Florian Weimer Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Alexander Viro Subject: Re: Proposal to fix pwrite with O_APPEND via pwritev2 flag Message-ID: <20200124140721.GV30412@brightrain.aerifal.cx> References: <20200124000243.GA12112@brightrain.aerifal.cx> <87d0b942lp.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87d0b942lp.fsf@oldenburg2.str.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 24, 2020 at 10:37:22AM +0100, Florian Weimer wrote: > * Rich Felker: > > > There's a longstanding unfixable (due to API stability) bug in the > > pwrite syscall: > > > > http://man7.org/linux/man-pages/man2/pwrite.2.html#BUGS > > > > whereby it wrongly honors O_APPEND if set, ignoring the caller-passed > > offset. Now that there's a pwritev2 syscall that takes a flags > > argument, it's possible to fix this without breaking stability by > > adding a new RWF_NOAPPEND flag, which callers that want the fixed > > behavior can then pass. > > > > I have a completely untested patch to add such a flag, but would like > > to get a feel for whether the concept is acceptable before putting > > time into testing it. If so, I'll submit this as a proper patch with > > detailed commit message etc. Draft is below. > > Has this come up before? I'm not sure if there's an open glibc bug for it or not, but it's come up in musl community before that the kernel is non-conforming here for historical reasons (preserving the original bug in case any software is depending on it) and we've always wanted to have a fix, but couldn't find one short of just erroring out if O_APPEND is set when pwrite is called. That's what the fallback will do (rather than silently write data at the wrong place) if pwritev2+RWF_NOAPPEND is not supported on the system at runtime. > I had already written a test case and it turns out that an O_APPEND > descriptor does not protect the previously written data in the file: > > openat(AT_FDCWD, "/tmp/append-truncateuoRexJ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3 > write(3, "@", 1) = 1 > close(3) = 0 > openat(AT_FDCWD, "/tmp/append-truncateuoRexJ", O_WRONLY|O_APPEND) = 3 > ftruncate(3, 0) = 0 > > So at least it looks like there is no security issue in adding a > RWF_NOAPPEND flag. Indeed, if you have the file open you can just use fcntl to remove O_APPEND (but of course using that in an emulation would be racy), so it's not a security boundary. Someone could try to "make it into one" with seccomp, blocking fcntl that would remove O_APPEND and blocking ftruncate, mmap, and all other ways you could modify the existing part of the file, but that sounds fragile, and if they really want to do that they can block pwritev2 as well (or at least block it with RWF_NOAPPEND or future/unknown flags). Rich