Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Guard against future
statx
fields. (#379)
* Guard against future `statx` fields. Future versions of Linux may recognize new `statx` mask flags, which enable writing to new `struct statx` fields. If a rustix user constructs a flags value with `from_bits_unchecked`, they could potentially create a flags value that causes `statx` on such a future Linux version to write fields outside the buffer, evoking undefined behavior. This is very unlikely to be a practical problem today, because: - Scanning all known public users of rustix, I don't see any constructing `StatxFlags` values this way. - It's unlikely that any rustix user would ever have a need to construct `StatxFlags` values this way. - No existing version of Linux increases the size of `struct statx` beyond what rustix currently knows about. - `struct statx` contains several spare fields, including a `__u64 __spare3[12]` specifically for expansion, so even if a future Linux version defines new fields, it has lots of space available before it needs to start increasing the size of `struct statx`.
- Loading branch information
1 parent
7fa7a98
commit 2c6db2e
Showing
4 changed files
with
80 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#[test] | ||
fn test_statx_unknown_flags() { | ||
use rustix::fs::{AtFlags, StatxFlags}; | ||
|
||
let f = std::fs::File::open(".").unwrap(); | ||
|
||
// It's ok (though still unwise) to construct flags values that have | ||
// unknown bits. Exclude `STATX__RESERVED` here as that evokes an explicit | ||
// failure; that's tested separately below. | ||
let too_many_flags = | ||
unsafe { StatxFlags::from_bits_unchecked(!0 & !linux_raw_sys::general::STATX__RESERVED) }; | ||
|
||
// It's also ok to pass such flags to `statx`. | ||
let result = rustix::fs::statx(&f, "Cargo.toml", AtFlags::empty(), too_many_flags).unwrap(); | ||
|
||
// But, rustix should mask off bits it doesn't recognize, because these | ||
// extra flags may tell future kernels to set extra fields beyond the | ||
// extend of rustix's statx buffer. So make sure we didn't get extra | ||
// fields. | ||
assert_eq!(result.stx_mask & !StatxFlags::all().bits(), 0); | ||
} | ||
|
||
#[test] | ||
fn test_statx_reserved() { | ||
use rustix::fs::{AtFlags, StatxFlags}; | ||
|
||
let f = std::fs::File::open(".").unwrap(); | ||
|
||
// It's ok (though still unwise) to construct a `STATX__RESERVED` flag | ||
// value but `statx` should reliably fail with `INVAL`. | ||
let reserved = | ||
unsafe { StatxFlags::from_bits_unchecked(linux_raw_sys::general::STATX__RESERVED) }; | ||
match rustix::fs::statx(&f, "Cargo.toml", AtFlags::empty(), reserved) { | ||
Ok(_) => panic!("statx succeeded with `STATX__RESERVED`"), | ||
Err(err) => assert_eq!(err, rustix::io::Errno::INVAL), | ||
} | ||
} |