Fixed seek undefined behavior on signed integer overflow

In the previous implementation of lfs_file_seek, we calculated the new offset using signed arithmetic before checking for possible overflow/underflow conditions. This results in undefined behavior in C. Fortunately for us, littlefs is now limited to 31-bit file sizes for API reasons, so we don't have to be too clever here. Doing the arithmetic with unsigned integers and just checking if we're in a valid range afterwards should work. Found by m-kostrzewa and lucic71
Added some tests around seek integer overflow/underflow
2024-09-24 14:01:20 -05:00 · 2024-09-24 14:01:08 -05:00 · 2024-09-24 12:25:04 -05:00 · 2024-09-20 16:05:15 -05:00 · 2024-09-20 16:05:12 -05:00 · 2024-09-20 16:04:35 -05:00
5 changed files with 177 additions and 66 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
      github.event.workflow_run.head_sha == github.sha}}

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.event.workflow_run.head_sha}}
          # need workflow access since we push branches
@@ -30,26 +30,29 @@ jobs:
          fetch-depth: 0

      # try to get results from tests
-      - uses: dawidd6/action-download-artifact@v2
+      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
-          workflow: ${{github.event.workflow_run.name}}
-          run_id: ${{github.event.workflow_run.id}}
-          name: sizes
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          run-id: ${{github.event.workflow_run.id}}
+          pattern: '{sizes,sizes-*}'
+          merge-multiple: true
          path: sizes
-      - uses: dawidd6/action-download-artifact@v2
+      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
-          workflow: ${{github.event.workflow_run.name}}
-          run_id: ${{github.event.workflow_run.id}}
-          name: cov
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          run-id: ${{github.event.workflow_run.id}}
+          pattern: '{cov,cov-*}'
+          merge-multiple: true
          path: cov
-      - uses: dawidd6/action-download-artifact@v2
+      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
-          workflow: ${{github.event.workflow_run.name}}
-          run_id: ${{github.event.workflow_run.id}}
-          name: bench
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          run-id: ${{github.event.workflow_run.id}}
+          pattern: '{bench,bench-*}'
+          merge-multiple: true
          path: bench

      - name: find-version
--- a/.github/workflows/status.yml
+++ b/.github/workflows/status.yml
@@ -13,12 +13,13 @@ jobs:
  status:
    runs-on: ubuntu-latest
    steps:
-      - uses: dawidd6/action-download-artifact@v2
+      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
-          workflow: ${{github.event.workflow_run.name}}
-          run_id: ${{github.event.workflow_run.id}}
-          name: status
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          run-id: ${{github.event.workflow_run.id}}
+          pattern: '{status,status-*}'
+          merge-multiple: true
          path: status
      - name: update-status
        continue-on-error: true
@@ -67,12 +68,13 @@ jobs:

    steps:
      # generated comment?
-      - uses: dawidd6/action-download-artifact@v2
+      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
-          workflow: ${{github.event.workflow_run.name}}
-          run_id: ${{github.event.workflow_run.id}}
-          name: comment
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          run-id: ${{github.event.workflow_run.id}}
+          pattern: '{comment,comment-*}'
+          merge-multiple: true
          path: comment
      - name: update-comment
        continue-on-error: true
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
        arch: [x86_64, thumb, mips, powerpc]

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -235,9 +235,9 @@ jobs:

      # create size statuses
      - name: upload-sizes
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
-          name: sizes
+          name: sizes-${{matrix.arch}}
          path: sizes
      - name: status-sizes
        run: |
@@ -273,16 +273,17 @@ jobs:
            }' | tee status/$(basename $f .csv).json
          done
      - name: upload-status-sizes
-        uses: actions/upload-artifact@v2
+        if: ${{matrix.arch == 'x86_64'}}
+        uses: actions/upload-artifact@v4
        with:
-          name: status
+          name: status-sizes-${{matrix.arch}}
          path: status
          retention-days: 1

      # create cov statuses
      - name: upload-cov
        if: ${{matrix.arch == 'x86_64'}}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: cov
          path: cov
@@ -317,11 +318,11 @@ jobs:
              target_step: env.STEP,
            }' | tee status/$(basename $f .csv)-$s.json
          done
-      - name: upload-status-sizes
+      - name: upload-status-cov
        if: ${{matrix.arch == 'x86_64'}}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
-          name: status
+          name: status-cov
          path: status
          retention-days: 1

@@ -336,7 +337,7 @@ jobs:
        pls: [1, 2]

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -361,7 +362,7 @@ jobs:
  test-no-intrinsics:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -378,7 +379,7 @@ jobs:
  test-multiversion:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -395,7 +396,7 @@ jobs:
  test-lfs2_0:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -414,7 +415,7 @@ jobs:
  test-valgrind:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -436,7 +437,7 @@ jobs:
  test-clang:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -459,7 +460,7 @@ jobs:
  bench:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -491,7 +492,7 @@ jobs:

      # create bench statuses
      - name: upload-bench
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: bench
          path: bench
@@ -525,9 +526,9 @@ jobs:
            }' | tee status/$(basename $f .csv)-$s.json
          done
      - name: upload-status-bench
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
-          name: status
+          name: status-bench
          path: status
          retention-days: 1

@@ -535,10 +536,10 @@ jobs:
  test-compat:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        if: ${{github.event_name == 'pull_request'}}
      # checkout the current pr target into lfsp
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        if: ${{github.event_name == 'pull_request'}}
        with:
          ref: ${{github.event.pull_request.base.ref}}
@@ -572,7 +573,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{!endsWith(github.ref, '-prefix')}}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -582,7 +583,7 @@ jobs:
          gcc --version
          python3 --version
          fusermount -V
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          repository: littlefs-project/littlefs-fuse
          ref: v2
@@ -622,7 +623,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{!endsWith(github.ref, '-prefix')}}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
      - name: install
        run: |
          # need a few things
@@ -632,12 +633,12 @@ jobs:
          gcc --version
          python3 --version
          fusermount -V
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          repository: littlefs-project/littlefs-fuse
          ref: v2
          path: v2
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          repository: littlefs-project/littlefs-fuse
          ref: v1
@@ -694,7 +695,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: [test, bench]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        if: ${{github.event_name == 'pull_request'}}
      - name: install
        if: ${{github.event_name == 'pull_request'}}
@@ -704,23 +705,26 @@ jobs:
          pip3 install toml
          gcc --version
          python3 --version
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
        if: ${{github.event_name == 'pull_request'}}
        continue-on-error: true
        with:
-          name: sizes
+          pattern: '{sizes,sizes-*}'
+          merge-multiple: true
          path: sizes
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
        if: ${{github.event_name == 'pull_request'}}
        continue-on-error: true
        with:
-          name: cov
+          pattern: '{cov,cov-*}'
+          merge-multiple: true
          path: cov
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
        if: ${{github.event_name == 'pull_request'}}
        continue-on-error: true
        with:
-          name: bench
+          pattern: '{bench,bench-*}'
+          merge-multiple: true
          path: bench

      # try to find results from tests
@@ -862,7 +866,7 @@ jobs:
            body: $comment,
          }' | tee comment/comment.json
      - name: upload-comment
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: comment
          path: comment
--- a/lfs.c
+++ b/lfs.c
@@ -3664,22 +3664,16 @@ static lfs_ssize_t lfs_file_write_(lfs_t *lfs, lfs_file_t *file,
 static lfs_soff_t lfs_file_seek_(lfs_t *lfs, lfs_file_t *file,
        lfs_soff_t off, int whence) {
    // find new pos
+    //
+    // fortunately for us, littlefs is limited to 31-bit file sizes, so we
+    // don't have to worry too much about integer overflow
    lfs_off_t npos = file->pos;
    if (whence == LFS_SEEK_SET) {
        npos = off;
    } else if (whence == LFS_SEEK_CUR) {
-        if ((lfs_soff_t)file->pos + off < 0) {
-            return LFS_ERR_INVAL;
-        } else {
-            npos = file->pos + off;
-        }
+        npos = file->pos + (lfs_off_t)off;
    } else if (whence == LFS_SEEK_END) {
-        lfs_soff_t res = lfs_file_size_(lfs, file) + off;
-        if (res < 0) {
-            return LFS_ERR_INVAL;
-        } else {
-            npos = res;
-        }
+        npos = (lfs_off_t)lfs_file_size_(lfs, file) + (lfs_off_t)off;
    }

    if (npos > lfs->file_max) {
--- a/tests/test_seek.toml
+++ b/tests/test_seek.toml
@@ -405,3 +405,111 @@ code = '''
    lfs_file_close(&lfs, &file) => 0;
    lfs_unmount(&lfs) => 0;
 '''
+
+
+# test possible overflow/underflow conditions
+#
+# note these need -fsanitize=undefined to consistently detect
+# overflow/underflow conditions
+
+[cases.test_seek_filemax]
+code = '''
+    lfs_t lfs;
+    lfs_format(&lfs, cfg) => 0;
+    lfs_mount(&lfs, cfg) => 0;
+    lfs_file_t file;
+    lfs_file_open(&lfs, &file, "kitty",
+            LFS_O_WRONLY | LFS_O_CREAT | LFS_O_APPEND) => 0;
+    uint8_t buffer[1024];
+    strcpy((char*)buffer, "kittycatcat");
+    size_t size = strlen((char*)buffer);
+    lfs_file_write(&lfs, &file, buffer, size) => size;
+
+    // seek with LFS_SEEK_SET
+    lfs_file_seek(&lfs, &file, LFS_FILE_MAX, LFS_SEEK_SET) => LFS_FILE_MAX;
+
+    // seek with LFS_SEEK_CUR
+    lfs_file_seek(&lfs, &file, 0, LFS_SEEK_CUR) => LFS_FILE_MAX;
+
+    // the file hasn't changed size, so seek end takes us back to the offset=0
+    lfs_file_seek(&lfs, &file, +10, LFS_SEEK_END) => size+10;
+
+    lfs_file_close(&lfs, &file) => 0;
+    lfs_unmount(&lfs) => 0;
+'''
+
+[cases.test_seek_underflow]
+code = '''
+    lfs_t lfs;
+    lfs_format(&lfs, cfg) => 0;
+    lfs_mount(&lfs, cfg) => 0;
+    lfs_file_t file;
+    lfs_file_open(&lfs, &file, "kitty",
+            LFS_O_WRONLY | LFS_O_CREAT | LFS_O_APPEND) => 0;
+    uint8_t buffer[1024];
+    strcpy((char*)buffer, "kittycatcat");
+    size_t size = strlen((char*)buffer);
+    lfs_file_write(&lfs, &file, buffer, size) => size;
+
+    // underflow with LFS_SEEK_CUR, should error
+    lfs_file_seek(&lfs, &file, -(size+10), LFS_SEEK_CUR) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, -LFS_FILE_MAX, LFS_SEEK_CUR) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, -(size+LFS_FILE_MAX), LFS_SEEK_CUR)
+            => LFS_ERR_INVAL;
+
+    // underflow with LFS_SEEK_END, should error
+    lfs_file_seek(&lfs, &file, -(size+10), LFS_SEEK_END) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, -LFS_FILE_MAX, LFS_SEEK_END) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, -(size+LFS_FILE_MAX), LFS_SEEK_END)
+            => LFS_ERR_INVAL;
+
+    // file pointer should not have changed
+    lfs_file_tell(&lfs, &file) => size;
+
+    lfs_file_close(&lfs, &file) => 0;
+    lfs_unmount(&lfs) => 0;
+'''
+
+[cases.test_seek_overflow]
+code = '''
+    lfs_t lfs;
+    lfs_format(&lfs, cfg) => 0;
+    lfs_mount(&lfs, cfg) => 0;
+    lfs_file_t file;
+    lfs_file_open(&lfs, &file, "kitty",
+            LFS_O_WRONLY | LFS_O_CREAT | LFS_O_APPEND) => 0;
+    uint8_t buffer[1024];
+    strcpy((char*)buffer, "kittycatcat");
+    size_t size = strlen((char*)buffer);
+    lfs_file_write(&lfs, &file, buffer, size) => size;
+
+    // seek to LFS_FILE_MAX
+    lfs_file_seek(&lfs, &file, LFS_FILE_MAX, LFS_SEEK_SET) => LFS_FILE_MAX;
+
+    // overflow with LFS_SEEK_CUR, should error
+    lfs_file_seek(&lfs, &file, +10, LFS_SEEK_CUR) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, +LFS_FILE_MAX, LFS_SEEK_CUR) => LFS_ERR_INVAL;
+
+    // LFS_SEEK_SET/END don't care about the current file position, but we can
+    // still overflow with a large offset
+
+    // overflow with LFS_SEEK_SET, should error
+    lfs_file_seek(&lfs, &file,
+            +((uint32_t)LFS_FILE_MAX+10),
+            LFS_SEEK_SET) => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file,
+            +((uint32_t)LFS_FILE_MAX+(uint32_t)LFS_FILE_MAX),
+            LFS_SEEK_SET) => LFS_ERR_INVAL;
+
+    // overflow with LFS_SEEK_END, should error
+    lfs_file_seek(&lfs, &file, +(LFS_FILE_MAX-size+10), LFS_SEEK_END)
+            => LFS_ERR_INVAL;
+    lfs_file_seek(&lfs, &file, +(LFS_FILE_MAX-size+LFS_FILE_MAX), LFS_SEEK_END)
+            => LFS_ERR_INVAL;
+
+    // file pointer should not have changed
+    lfs_file_tell(&lfs, &file) => LFS_FILE_MAX;
+
+    lfs_file_close(&lfs, &file) => 0;
+    lfs_unmount(&lfs) => 0;
+'''
Author	SHA1	Message	Date
Christopher Haster	abaec45652	Fixed seek undefined behavior on signed integer overflow In the previous implementation of lfs_file_seek, we calculated the new offset using signed arithmetic before checking for possible overflow/underflow conditions. This results in undefined behavior in C. Fortunately for us, littlefs is now limited to 31-bit file sizes for API reasons, so we don't have to be too clever here. Doing the arithmetic with unsigned integers and just checking if we're in a valid range afterwards should work. Found by m-kostrzewa and lucic71	2024-09-24 14:01:20 -05:00
Christopher Haster	f1c430e779	Added some tests around seek integer overflow/underflow Original tests provided by m-kostrzewa, these identify signed overflow (undefined behavior) when compiled with -fsanitize=undefined.	2024-09-24 14:01:08 -05:00
Christopher Haster	b78afe2518	Merge pull request #1026 from yamt/update-gh-actions Update github actions to the latest versions	2024-09-24 12:25:04 -05:00
Christopher Haster	798073c2a7	gha: Dropped minor/patch version pinning of actions With GitHub forcibly deprecating old versions of actions, pinning the minor/patch version is more likely to cause breakage than not.	2024-09-20 16:05:15 -05:00
Christopher Haster	7db9e1663a	gha: Switched to standard da for cross-workflow downloads Looks like cross-workflow downloads has finally been added to the standard download-artifact action, so we might as well switch to it to reduce dependencies. dawidd6's version was also missing the merge-multiple feature which is necessary to work around breaking changes in download-artifact's v4 bump. Weirdly it needs GITHUB_TOKEN for some reason? Not sure why this couldn't be implicit.	2024-09-20 16:05:12 -05:00
Christopher Haster	2c4b262c35	gha: Merge artifacts on download Turns out major versions break things. Old behavior: Artifacts with same name are merged New behavior: Artifacts with same name error Using a pattern and merging on download should fix this at least on the job-side. Though I do wonder if we'll start running into artifact limit issues with the new way artifacts are handled...	2024-09-20 16:04:35 -05:00
YAMAMOTO Takashi	72a4b57f4e	gha: Make the artifact names unique	2024-09-19 17:26:49 -05:00
YAMAMOTO Takashi	6e7269890a	gha: Update github actions to the latest versions	2024-09-19 17:18:15 -05:00