search for: tocttou

On Wed, Mar 20, 2019 at 12:11:57PM -0500, Eric Blake wrote: >On 3/20/19 11:57 AM, Richard W.M. Jones wrote: > >> >>>> Also an observation: qemu's nbd client only ever issues block status >>>> requests with the req-one flag set, so perhaps we should optimize for >>>> that case. >>> >>> I hope to get to the point where future qemu

v1 was here: https://www.redhat.com/archives/libguestfs/2019-June/thread.html#00055 v2 was here: https://www.redhat.com/archives/libguestfs/2019-June/thread.html#00067 v3: - Fix atomicly -> atomically in commit message. - Fix a comment. - Fix TOCTTOU: There is now an inline function generated called <name>_is_permitted_state, and this is called twice, first outside the lock for the quick rejection check, and again inside the lock in case the state changed. I think an improvement would be to _drop_ the first check (outside the lo...

...ss code (including nbd_aio_get_direction) can no longer see intermediate states that did not block, which is a lot nicer for deciding whether we will accidentally let the user's poll() loop block forever if it didn't see that we were blocked on POLLIN or POLLOUT. There's still always a TOCTTOU race (anywhere the user reads the public state while another thread holds the lock, their future actions based on the observed state may be unexpected by the time they actually grab the lock because the other thread changed state), as well as the issue I mentioned in on 3/4 about any consecutive us...

...even one access is racy because there can be a change between > BLOCK_STATUS and READ.  And that same thing happens in the plugins for > files and > everything that someone else can access.  I don't think it is designed for > concurrent access.  Or is it? Indeed, there is always a TOCTTOU race when you rely on block status if there is ever a concurrent writer. But, is it dangerous? Without a block status, we can have either: reader writer ------------------------ read sector X as A write sector X as B or: reader writer ----------------------...

...ed space in the root directory. > Should symlinks pointing to somewhere within the directory be > supported by expanding it into the contents visible through the > symlink? (But if we ever add that, we have to be careful of > symlink-to-directory loops, as well as race conditions where TOCTTOU > could result in a symlink escaping the directory) Exactly it's tricky to get it right, and ignoring them now doesn't stop us from fixing it later if someone needs it. > >+The plugin does not support writes. > >+ > >+The plugin does not save a temporary copy of the f...

...e on to secondary pages, unlike subdirectories. Should symlinks pointing to somewhere within the directory be supported by expanding it into the contents visible through the symlink? (But if we ever add that, we have to be careful of symlink-to-directory loops, as well as race conditions where TOCTTOU could result in a symlink escaping the directory) > + > +The plugin does not support writes. > + > +The plugin does not save a temporary copy of the files, so you must > +leave the directory alone while nbdkit is running, else you may get an > +error for example if the plugin tr...

...2873,35 +2901,30 @@ let generate_lib_api_c () = ); if permitted_states <> [] then ( pr " /* We can check the state outside the handle lock because the\n"; - pr " * the state is atomic.\n"; + pr " * the state is atomic. However to avoid TOCTTOU we must also\n"; + pr " * check again after we acquire the lock.\n"; pr " */\n"; - pr " enum state state = get_state (h);\n"; - let tests = - List.map ( - function - | Created -> "nbd_internal_is_state_cr...

Split h->state into: - h->public_state = the state on entry to the locked region This is also the atomicly, publicly visible state. - h->state = the real current state of the handle When we leave the locked region we update h->public_state with h->state, so that from outside the lock the handle appears to move atomically from its previous state to the final state without

Hi, Keir, This patch is to fix the problem of Linux guest installation failure and Windows 2000 boot failure.       In the early code, we use vmx_vmexit_handler() -> vmx_io_instruction() function to emulate I/O instructions. But now, we use vmx_vmexit_handler() -> handle_mmio -> hvm_emulate_one() -> x86_emulate() to emulate I/O instructions. Also nowadays, the realmode

I need to think about this patch series a bit more, but it does at least pass the tests. Rich.

On Tue, Jan 31, 2023 at 01:49:53PM +0100, Laszlo Ersek wrote: > On 1/28/23 13:47, Richard W.M. Jones wrote: > > systemd allows sockets passed through socket activation to be named > > with the protocol they require. We only ever pass one socket, name > > it. This environment variable is currently ignored by qemu-nbd and > > nbdkit, but might be used by

...CATION USAGE [09], but on Linux/glibc, O_EXEC > does not seem supported, only O_PATH does [10]. > > - Thus the chosen approach -- pre-generate filenames -- contains a small > + Thus the chosen approach -- pre-generate filenames -- contains a small > TOCTTOU race (highlighted by Eric) after all, but it should be harmless. > > Implementation-defined details: > @@ Commit message > > If PATH is set but empty ("set to null") [02], or PATH is unset and > confstr(_CS_PATH) fails or returns no inf...

Originally from https://github.com/markfasheh/duperemove/blob/master/btrfs-extent-same.c Signed-off-by: Gabriel de Perthuis <g2p.code+btrfs@gmail.com> --- .gitignore | 1 + Makefile | 2 +- btrfs-extent-same.c | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 btrfs-extent-same.c diff

Add nbdkit-floppy-plugin, “inspired” by qemu's VVFAT driver, but without the ability to handle writes. The implementation is pretty complete, supporting FAT32, LFNs, volume labels, timestamps, etc, and it passes both ‘make check’ and ‘make check-valgrind’. Usage is simple; to serve the current directory: $ nbdkit floppy . Then using guestfish (or any NBD client): $ guestfish --ro