Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check offset overflow in fd_pwrite #254

Merged
merged 1 commit into from
Apr 10, 2024

Conversation

yagehu
Copy link
Contributor

@yagehu yagehu commented Apr 10, 2024

This commit fixes a potential overflow in fd_pwrite. Since uv_fs_write takes an int64_t as the offset while fd_pwrite accepts an uint64_t, we need to check it doesn't overflow when cast.

This commit fixes a potential overflow in fd_pwrite.  Since
`uv_fs_write` takes an `int64_t` as the offset while `fd_pwrite` accepts
an `uint64_t`, we need to check it doesn't overflow when cast.
@yagehu yagehu force-pushed the yagehu/pwrite-overflow branch from 69ef286 to a449870 Compare April 10, 2024 18:00
@guybedford
Copy link
Contributor

Strictly speaking, this is not actually an overflow though I believe because Wasm treats u64 types as i64 types in the host integration layer since it doesn't distinguish between them. Thus while to native callers it is taking an i64, negative values passed should still be interpreted as their unsigned equivalents. See https://webassembly.github.io/spec/core/syntax/types.html#number-types for more info on this from a Wasm perspective.

@guybedford
Copy link
Contributor

That said, ideally uvwasi would be properly typed here in having a signature that takes a uint64_t and not a signature that takes a int64_t to begin with.

@guybedford
Copy link
Contributor

But we should not land this overflow check as the correct interpretation of the code is as an unsigned argument.

@yagehu
Copy link
Contributor Author

yagehu commented Apr 10, 2024

Hi @guybedford I created an issue #256 explaining the motivation. I don't think this statement:

negative values passed should still be interpreted as their unsigned equivalents

applies to the uv_fs_write call as it is an implementation detail, not spec'd by Wasm.

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@guybedford
Copy link
Contributor

guybedford commented Apr 10, 2024

Here is the preview1 spec for fd_pwrite - https://github.com/WebAssembly/WASI/blob/main/legacy/preview1/docs.md#fd_pwrite.

offset is a filesize (https://github.com/WebAssembly/WASI/blob/main/legacy/preview1/docs.md#filesize), which has type u64.

Therefore the interface is not correct by the spec.

Implementation behaviour is another question of course, and we can choose to ban this, but my clarification is that this is valid per the preview1-specified function signature.

Copy link
Contributor

@guybedford guybedford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second read I see what you mean about the implementation detail here.

That the function signature is not u64 is actually a separate question I suppose then, regardless of implementation bounds per this PR.

Thanks for talking it through.

@guybedford guybedford merged commit bfd2e68 into nodejs:main Apr 10, 2024
7 checks passed
@sunfishcode
Copy link

The proposed fix looks good for now, and I've now filed WebAssembly/wasi-filesystem#146 to discuss what should do in the spec.

@yagehu yagehu deleted the yagehu/pwrite-overflow branch June 3, 2024 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants