nix-super/src/libutil
Alyssa Ross c05e20daa1
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.

Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure.  It just cares
about the /nix/store/[hash]-[name] part.  But, when the path is deleted,
we encounter a problem.  Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a.  This will fail,
because the path is too long.  After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it.  (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)

This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash.  (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)

This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2).  This function takes a relative path and a directory
file descriptor.  We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes.  This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.

Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times.  As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.

I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.

Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 20:50:17 +00:00
..
affinity.cc printMsg(lvlError, ...) -> printError(...) etc. 2016-09-21 16:54:53 +02:00
affinity.hh Run the daemon worker on the same CPU as the client 2013-08-07 14:02:04 +02:00
ansicolor.hh remove util.hh from deps 2020-03-27 10:55:09 -06:00
archive.cc Add O(1)-memory copyPath() function 2019-10-27 18:18:58 +01:00
archive.hh Add O(1)-memory copyPath() function 2019-10-27 18:18:58 +01:00
args.cc Initialize Command::_name 2019-12-05 20:21:22 +01:00
args.hh Initialize Command::_name 2019-12-05 20:21:22 +01:00
compression.cc Improve gzip error message 2019-12-13 19:05:26 +01:00
compression.hh Fix Brotli decompression in 'nix log' 2018-08-06 15:40:29 +02:00
config.cc Add priority setting to stores 2019-12-17 17:17:53 +01:00
config.hh Add priority setting to stores 2019-12-17 17:17:53 +01:00
error.cc move implementation to cc 2020-04-15 10:09:43 -06:00
error.hh iomanip no longer needed 2020-04-16 10:48:15 -06:00
finally.hh Add missing #include 2016-11-07 14:35:47 +01:00
hash.cc Allow content-addressable paths to have references 2019-10-21 17:47:24 +02:00
hash.hh Misc changes from the flakes branch 2020-03-24 14:34:47 +01:00
istringstream_nocopy.hh Move istringstream_nocopy to a separate file 2017-03-21 14:43:03 +01:00
json.cc Make std::uncaught_exception warning less noisy 2019-10-09 23:04:11 +02:00
json.hh Make std::uncaught_exception warning less noisy 2019-10-09 23:04:11 +02:00
lazy.hh Figure out the user's home directory if $HOME is not set 2017-05-05 17:08:23 +02:00
local.mk libarchive proof of concept 2019-12-07 22:35:14 +07:00
logging.cc Logger: Add method for writing to stdout 2020-04-16 18:03:38 +02:00
logging.hh Logger: Add method for writing to stdout 2020-04-16 18:03:38 +02:00
lru-cache.hh experimental/optional -> optional 2019-03-14 14:10:52 +01:00
monitor-fd.hh monitor-fds: Fix on macOS. 2018-02-14 18:26:37 -05:00
pool.hh RemoteStore: Close connection if an exception occurs 2018-10-16 23:36:15 +02:00
ref.hh Allow setting the state directory as a store parameter 2016-06-02 16:02:48 +02:00
rust-ffi.cc Merge branch 'libarchive' of https://github.com/yorickvP/nix 2019-12-19 14:47:18 +01:00
rust-ffi.hh Prevent uninitialized StorePath creation 2020-02-13 16:12:16 +01:00
serialise.cc experimental/optional -> optional 2019-03-14 14:10:52 +01:00
serialise.hh Drop remaining uses of external "tar" 2019-11-26 22:07:28 +01:00
sync.hh sync.hh: return cv_status instead of dropping it, in case useful. 2018-06-18 17:31:00 -05:00
tarfile.cc tarfile.cc: Restore timestamps 2019-12-19 15:09:54 +01:00
tarfile.hh libarchive proof of concept 2019-12-07 22:35:14 +07:00
thread-pool.cc Fix a hang in ThreadPool 2017-10-09 15:41:09 +02:00
thread-pool.hh Fix extra ; warnings involving MakeError 2019-11-10 11:24:47 -05:00
types.hh Merge branch 'error-format' of https://github.com/bburdette/nix 2020-04-22 15:29:10 +02:00
url.cc Backport libfetchers from the flakes branch 2020-04-07 09:03:14 +02:00
url.hh Backport libfetchers from the flakes branch 2020-04-07 09:03:14 +02:00
util.cc Fix long paths permanently breaking GC 2020-04-27 20:50:17 +00:00
util.hh Don't include error.hh in util.hh to prevent header bloat 2020-04-22 15:29:27 +02:00
xml-writer.cc Cleanup 2019-11-06 16:53:02 +01:00
xml-writer.hh Fix some random -Wconversion warnings 2018-05-02 13:56:34 +02:00