[Bug libc/11333] New: size of struct dirent does not agree with kernel when using LFS on 32bit

[Bug libc/11333] New: size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

Forwarded from https://launchpad.net/bugs/392501

It seems that the actual size of "struct dirent" with LFS enabled is 280 bytes,
but when defined for 32bit applications, the defined struct ends up at 276, and
something (the kernel?) is still writing the remaining 4 bytes.

Built on 64bit:
cc -Wall -Werror -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
-o test-native test.c
cc -Wall -Werror -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-m32  -o test-m32 test.c
mkdir -p bug-dir
touch
bug-dir/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
./test-native bug-dir
sizeof(struct dirent): 280
./test-m32 bug-dir
sizeof(struct dirent): 276
*** stack smashing detected ***: ./test-m32 terminated

Built on 32bit:
cc -Wall -Werror -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
-o test-native test.c
cc -Wall -Werror -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-m32  -o test-m32 test.c
mkdir -p bug-dir
touch
bug-dir/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
./test-native bug-dir
sizeof(struct dirent): 276
*** stack smashing detected ***: ./test-native terminated

/// test.c
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <inttypes.h>

void func(const char*path) {
    struct dirent entry;
    struct dirent *result = NULL;
    int ret;

    DIR *dir = opendir(path);
    if(!dir) abort();
    printf("sizeof(struct dirent): %" PRIuFAST32 "\n", sizeof(entry));
    while (!(ret = readdir_r(dir, &entry, &result)) && result) {}
}

int main(int argc, const char** argv) {
    if(argc < 2) abort();
    func(argv[1]);
    return 0;
}

-- 
           Summary: size of struct dirent does not agree with kernel when
                    using LFS on 32bit
           Product: glibc
           Version: 2.11
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: kees at outflux dot net
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-02-27 06:16 -------
Created an attachment (id=4637)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4637&action=view)
test.c


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-02-27 06:16 -------
Created an attachment (id=4636)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4636&action=view)
Makefile

Line-wrapping did nasty things to the 255-character filename in the original
bug description.  Here is a Makefile and test.c that demonstrates the issue. 
What's really odd is that the 4 byte difference appears to be strictly padding?
 All the offsets and sizes are the same between 64bit and 32bit:

./test-native bug-dir
sizeof(struct dirent): 280
	sizeof(dirent.d_ino@0): 8
	sizeof(dirent.d_off@8): 8
	sizeof(dirent.d_reclen@16): 2
	sizeof(dirent.d_type@18): 1
	sizeof(dirent.d_name@19): 256
./test-m32 bug-dir
sizeof(struct dirent): 276
	sizeof(dirent.d_ino@0): 8
	sizeof(dirent.d_off@8): 8
	sizeof(dirent.d_reclen@16): 2
	sizeof(dirent.d_type@18): 1
	sizeof(dirent.d_name@19): 256
*** stack smashing detected ***: ./test-m32 terminated


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-02-27 06:38 -------
Created an attachment (id=4638)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4638&action=view)
test.c

This reports the reclen coming from the dirp->data.  sysdeps/unix/readdir_r.c:

      bytes = __GETDENTS (dirp->fd, dirp->data, maxread);
...
      dp = (DIRENT_TYPE *) &dirp->data[dirp->offset];
...
      reclen = dp->d_reclen;
...
    *result = memcpy (entry, dp, reclen);

It seems that the memcpy is what overflows.  I wonder if adding an
"assert(sizeof(*entry) >= reclen)" should be added in here for fun, too.


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #4637 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-02-27 07:16 -------
Looks like the kernel unconditionally aligns/pads to 8 bytes in the 64bit
interface.  fs/readdir.c, filldir64() says:
   int reclen = ALIGN(NAME_OFFSET(dirent) + namlen + 1, sizeof(u64));

which means it looks like alignment needs to be forced in glibc too.  I don't
think __attribute__ ((aligned (sizeof (__off64_t)))) is acceptable for
bits/dirent.h as that's a gcc extension.  Thoughts?


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2010-04-04 06:54 -------
You cannot change the data structure definition, that's an ABI change.

I've added code handling the memcpy.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-04-04 17:55 -------
Thanks!

http://repo.or.cz/w/glibc.git/commitdiff/1a81139728494810f65aaa0d0c538ff8c2783dd5

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[funtoos at yahoo dot com]

------- Additional Comments From funtoos at yahoo dot com  2010-05-26 21:56 -------
Does this apply to earlier glibc versions as well?

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[kees at outflux dot net]

------- Additional Comments From kees at outflux dot net  2010-05-26 23:07 -------
Yes, this bug seems to have always existed.  I checked back through ancient
Linux kernel history, and it's always padded the dirent up to get the 64bit
alignment.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11333

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11333] size of struct dirent does not agree with kernel when using LFS on 32bit

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11333

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=14699
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.