Ensure io requests are always capped at 0x7ffff000

This gives us the Linux behavior across platforms.

Fixes #1189

Author: jart

Makefile

@@ -133,7 +133,7 @@ endif
 
 ifneq ($(findstring aarch64,$(MODE)),)
 ARCH = aarch64
-HOSTS ?= pi pi5 studio freebsdarm
+HOSTS ?= pi studio freebsdarm
 else
 ARCH = x86_64
 HOSTS ?= freebsd rhel7 xnu openbsd netbsd win10

libc/calls/pread.c

@@ -30,6 +30,7 @@
 #include "libc/macros.internal.h"
 #include "libc/runtime/runtime.h"
 #include "libc/runtime/zipos.internal.h"
+#include "libc/stdio/sysparam.h"
 #include "libc/sysv/errfuns.h"
 
 /**
@@ -39,7 +40,7 @@
  *
  * @param fd is something open()'d earlier, noting pipes might not work
  * @param buf is copied into, cf. copy_file_range(), sendfile(), etc.
- * @param size in range [1..0x7ffff000] is reasonable
+ * @param size is always saturated to 0x7ffff000 automatically
  * @param offset is bytes from start of file at which read begins
  * @return [1..size] bytes on success, 0 on EOF, or -1 w/ errno; with
  *     exception of size==0, in which case return zero means no error
@@ -58,6 +59,10 @@ ssize_t pread(int fd, void *buf, size_t size, int64_t offset) {
   ssize_t rc;
   BEGIN_CANCELATION_POINT;
 
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  size = MIN(size, 0x7ffff000);
+
   if (offset < 0) {
     rc = einval();
   } else if (fd < 0) {

libc/calls/preadv.c

@@ -28,24 +28,55 @@
 #include "libc/intrin/likely.h"
 #include "libc/intrin/strace.internal.h"
 #include "libc/intrin/weaken.h"
+#include "libc/limits.h"
+#include "libc/mem/alloca.h"
+#include "libc/runtime/stack.h"
 #include "libc/runtime/zipos.internal.h"
+#include "libc/stdckdint.h"
 #include "libc/sysv/errfuns.h"
 
+static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
+  size_t count = 0;
+  for (int i = 0; i < iovlen; ++i)
+    if (ckd_add(&count, count, iov[i].iov_len))
+      count = SIZE_MAX;
+  return count;
+}
+
 static ssize_t Preadv(int fd, struct iovec *iov, int iovlen, int64_t off) {
   int e, i;
   size_t got;
   ssize_t rc, toto;
 
-  if (fd < 0) {
+  if (fd < 0)
     return ebadf();
-  }
-
-  if (iovlen < 0) {
+  if (iovlen < 0)
     return einval();
-  }
-
-  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
+  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
     return efault();
+
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  if (!IsLinux()) {
+    size_t sum, remain = 0x7ffff000;
+    if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
+      struct iovec *iov2;
+#pragma GCC push_options
+#pragma GCC diagnostic ignored "-Walloca-larger-than="
+      iov2 = alloca(iovlen * sizeof(struct iovec));
+      CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
+#pragma GCC pop_options
+      for (int i = 0; i < iovlen; ++i) {
+        iov2[i] = iov[i];
+        if (remain >= iov2[i].iov_len) {
+          remain -= iov2[i].iov_len;
+        } else {
+          iov2[i].iov_len = remain;
+          remain = 0;
+        }
+      }
+      iov = iov2;
+    }
   }
 
   if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
@@ -112,6 +143,11 @@ static ssize_t Preadv(int fd, struct iovec *iov, int iovlen, int64_t off) {
 /**
  * Reads with maximum generality.
  *
+ * It's possible for file write request to be partially completed. For
+ * example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
+ * beyond that will be ignored. This is a Linux behavior that Cosmo
+ * polyfills across platforms.
+ *
  * @return number of bytes actually read, or -1 w/ errno
  * @cancelationpoint
  * @asyncsignalsafe

libc/calls/pwrite.c

@@ -28,6 +28,7 @@
 #include "libc/intrin/asan.internal.h"
 #include "libc/intrin/strace.internal.h"
 #include "libc/macros.internal.h"
+#include "libc/stdio/sysparam.h"
 #include "libc/sysv/errfuns.h"
 
 /**
@@ -37,7 +38,7 @@
  *
  * @param fd is something open()'d earlier, noting pipes might not work
  * @param buf is copied from, cf. copy_file_range(), sendfile(), etc.
- * @param size in range [1..0x7ffff000] is reasonable
+ * @param size is always saturated to 0x7ffff000 automatically
  * @param offset is bytes from start of file at which write begins,
  *     which can exceed or overlap the end of file, in which case your
  *     file will be extended
@@ -53,6 +54,10 @@ ssize_t pwrite(int fd, const void *buf, size_t size, int64_t offset) {
   size_t wrote;
   BEGIN_CANCELATION_POINT;
 
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  size = MIN(size, 0x7ffff000);
+
   if (offset < 0) {
     rc = einval();
   } else if (fd == -1) {

libc/calls/pwritev.c

@@ -28,28 +28,57 @@
 #include "libc/intrin/likely.h"
 #include "libc/intrin/strace.internal.h"
 #include "libc/intrin/weaken.h"
+#include "libc/limits.h"
+#include "libc/mem/alloca.h"
+#include "libc/runtime/stack.h"
+#include "libc/stdckdint.h"
 #include "libc/sysv/errfuns.h"
 
+static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
+  size_t count = 0;
+  for (int i = 0; i < iovlen; ++i)
+    if (ckd_add(&count, count, iov[i].iov_len))
+      count = SIZE_MAX;
+  return count;
+}
+
 static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
                        int64_t off) {
   int i, e;
   size_t sent;
   ssize_t rc, toto;
 
-  if (fd < 0) {
+  if (fd < 0)
     return ebadf();
-  }
-
-  if (iovlen < 0) {
+  if (iovlen < 0)
     return einval();
-  }
-
-  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
+  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
     return efault();
-  }
-
-  if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
+  if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip)
     return ebadf();
+
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  if (!IsLinux()) {
+    size_t sum, remain = 0x7ffff000;
+    if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
+      struct iovec *iov2;
+#pragma GCC push_options
+#pragma GCC diagnostic ignored "-Walloca-larger-than="
+      iov2 = alloca(iovlen * sizeof(struct iovec));
+      CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
+#pragma GCC pop_options
+      for (int i = 0; i < iovlen; ++i) {
+        iov2[i] = iov[i];
+        if (remain >= iov2[i].iov_len) {
+          remain -= iov2[i].iov_len;
+        } else {
+          iov2[i].iov_len = remain;
+          remain = 0;
+        }
+      }
+      iov = iov2;
+    }
   }
 
   if (IsWindows()) {
@@ -116,6 +145,11 @@ static ssize_t Pwritev(int fd, const struct iovec *iov, int iovlen,
  * been committed. It can also happen if we need to polyfill this system
  * call using pwrite().
  *
+ * It's possible for file write request to be partially completed. For
+ * example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
+ * beyond that will be ignored. This is a Linux behavior that Cosmo
+ * polyfills across platforms.
+ *
  * @return number of bytes actually sent, or -1 w/ errno
  * @cancelationpoint
  * @asyncsignalsafe

libc/calls/read.c

@@ -29,6 +29,7 @@
 #include "libc/runtime/zipos.internal.h"
 #include "libc/sock/internal.h"
 #include "libc/sock/sock.h"
+#include "libc/stdio/sysparam.h"
 #include "libc/sysv/errfuns.h"
 
 /**
@@ -41,7 +42,7 @@
  *
  * @param fd is something open()'d earlier
  * @param buf is copied into, cf. copy_file_range(), sendfile(), etc.
- * @param size in range [1..0x7ffff000] is reasonable
+ * @param size is always saturated to 0x7ffff000 automatically
  * @return [1..size] bytes on success, 0 on EOF, or -1 w/ errno; with
  *     exception of size==0, in which case return zero means no error
  * @raise EBADF if `fd` is negative or not an open file descriptor
@@ -67,6 +68,10 @@ ssize_t read(int fd, void *buf, size_t size) {
   ssize_t rc;
   BEGIN_CANCELATION_POINT;
 
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  size = MIN(size, 0x7ffff000);
+
   if (fd < 0) {
     rc = ebadf();
   } else if ((!buf && size) || (IsAsan() && !__asan_is_valid(buf, size))) {

libc/calls/readv.c

@@ -28,10 +28,74 @@
 #include "libc/intrin/likely.h"
 #include "libc/intrin/strace.internal.h"
 #include "libc/intrin/weaken.h"
+#include "libc/limits.h"
+#include "libc/mem/alloca.h"
+#include "libc/runtime/stack.h"
 #include "libc/runtime/zipos.internal.h"
 #include "libc/sock/internal.h"
+#include "libc/stdckdint.h"
 #include "libc/sysv/errfuns.h"
 
+static size_t SumIovecBytes(const struct iovec *iov, int iovlen) {
+  size_t count = 0;
+  for (int i = 0; i < iovlen; ++i)
+    if (ckd_add(&count, count, iov[i].iov_len))
+      count = SIZE_MAX;
+  return count;
+}
+
+static ssize_t readv_impl(int fd, const struct iovec *iov, int iovlen) {
+  if (fd < 0)
+    return ebadf();
+  if (iovlen < 0)
+    return einval();
+  if (IsAsan() && !__asan_is_valid_iov(iov, iovlen))
+    return efault();
+
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  if (!IsLinux()) {
+    size_t sum, remain = 0x7ffff000;
+    if ((sum = SumIovecBytes(iov, iovlen)) > remain) {
+      struct iovec *iov2;
+#pragma GCC push_options
+#pragma GCC diagnostic ignored "-Walloca-larger-than="
+      iov2 = alloca(iovlen * sizeof(struct iovec));
+      CheckLargeStackAllocation(iov2, iovlen * sizeof(struct iovec));
+#pragma GCC pop_options
+      for (int i = 0; i < iovlen; ++i) {
+        iov2[i] = iov[i];
+        if (remain >= iov2[i].iov_len) {
+          remain -= iov2[i].iov_len;
+        } else {
+          iov2[i].iov_len = remain;
+          remain = 0;
+        }
+      }
+      iov = iov2;
+    }
+  }
+
+  if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
+    return _weaken(__zipos_read)(
+        (struct ZiposHandle *)(intptr_t)g_fds.p[fd].handle, iov, iovlen, -1);
+  } else if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
+    if (iovlen == 1) {
+      return sys_read(fd, iov[0].iov_base, iov[0].iov_len);
+    } else {
+      return sys_readv(fd, iov, iovlen);
+    }
+  } else if (fd >= g_fds.n) {
+    return ebadf();
+  } else if (IsMetal()) {
+    return sys_readv_metal(fd, iov, iovlen);
+  } else if (IsWindows()) {
+    return sys_readv_nt(fd, iov, iovlen);
+  } else {
+    return enosys();
+  }
+}
+
 /**
  * Reads data to multiple buffers.
  *
@@ -42,39 +106,19 @@
  * be passed to the kernel as read() instead. This yields a 100 cycle
  * performance boost in the case of a single small iovec.
  *
+ * It's possible for file write request to be partially completed. For
+ * example, if the sum of `iov` lengths exceeds 0x7ffff000 then bytes
+ * beyond that will be ignored. This is a Linux behavior that Cosmo
+ * polyfills across platforms.
+ *
  * @return number of bytes actually read, or -1 w/ errno
  * @cancelationpoint
  * @restartable
  */
 ssize_t readv(int fd, const struct iovec *iov, int iovlen) {
   ssize_t rc;
   BEGIN_CANCELATION_POINT;
-
-  if (fd < 0) {
-    rc = ebadf();
-  } else if (iovlen < 0) {
-    rc = einval();
-  } else if (IsAsan() && !__asan_is_valid_iov(iov, iovlen)) {
-    rc = efault();
-  } else if (fd < g_fds.n && g_fds.p[fd].kind == kFdZip) {
-    rc = _weaken(__zipos_read)(
-        (struct ZiposHandle *)(intptr_t)g_fds.p[fd].handle, iov, iovlen, -1);
-  } else if (IsLinux() || IsXnu() || IsFreebsd() || IsOpenbsd() || IsNetbsd()) {
-    if (iovlen == 1) {
-      rc = sys_read(fd, iov[0].iov_base, iov[0].iov_len);
-    } else {
-      rc = sys_readv(fd, iov, iovlen);
-    }
-  } else if (fd >= g_fds.n) {
-    rc = ebadf();
-  } else if (IsMetal()) {
-    rc = sys_readv_metal(fd, iov, iovlen);
-  } else if (IsWindows()) {
-    rc = sys_readv_nt(fd, iov, iovlen);
-  } else {
-    rc = enosys();
-  }
-
+  rc = readv_impl(fd, iov, iovlen);
   END_CANCELATION_POINT;
   STRACE("readv(%d, [%s], %d) → %'ld% m", fd, DescribeIovec(rc, iov, iovlen),
          iovlen, rc);

libc/calls/write.c

@@ -27,6 +27,7 @@
 #include "libc/intrin/weaken.h"
 #include "libc/runtime/zipos.internal.h"
 #include "libc/sock/sock.h"
+#include "libc/stdio/sysparam.h"
 #include "libc/sysv/errfuns.h"
 
 /**
@@ -39,6 +40,7 @@
  *
  * @param fd is open file descriptor
  * @param buf is copied from, cf. copy_file_range(), sendfile(), etc.
+ * @param size is always saturated to 0x7ffff000 automatically
  * @return [1..size] bytes on success, or -1 w/ errno; noting zero is
  *     impossible unless size was passed as zero to do an error check
  * @raise EBADF if `fd` is negative or not an open file descriptor
@@ -68,6 +70,10 @@ ssize_t write(int fd, const void *buf, size_t size) {
   ssize_t rc;
   BEGIN_CANCELATION_POINT;
 
+  // XNU and BSDs will EINVAL if requested bytes exceeds INT_MAX
+  // this is inconsistent with Linux which ignores huge requests
+  size = MIN(size, 0x7ffff000);
+
   if (fd < 0) {
     rc = ebadf();
   } else if (IsAsan() && !__asan_is_valid(buf, size)) {