extend of lseek on dir (#245)

briteny-pwn · web-flow · commit 6eac0e4b7251 · 2025-10-30T11:57:28.000Z
diff --git a/project/libfuse-fs/src/overlayfs/async_io.rs b/project/libfuse-fs/src/overlayfs/async_io.rs
@@ -13,7 +13,6 @@ use std::io::ErrorKind;
 use std::num::NonZeroU32;
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
-use tracing::error;
 use tracing::info;
 use tracing::trace;
 
@@ -908,8 +907,6 @@ impl Filesystem for OverlayFs {
         offset: u64,
         whence: u32,
     ) -> Result<ReplyLSeek> {
-        // can this be on dir? FIXME: assume file for now
-        // we need special process if it can be called on dir
         let node = self.lookup_node(req, inode, "").await?;
 
         if node.whiteout.load(Ordering::Relaxed) {
@@ -918,14 +915,87 @@ impl Filesystem for OverlayFs {
 
         let st = node.stat64(req).await?;
         if utils::is_dir(&st.attr.kind) {
-            error!("lseek on directory");
-            return Err(Error::from_raw_os_error(libc::EINVAL).into());
-        }
+            // Special handling and security restrictions for directory operations.
+            // Use the common API to obtain the underlying layer and handle info.
+            let (layer, real_inode, real_handle) = self.find_real_info_from_handle(fh).await?;
+
+            // Verify that the underlying handle refers to a directory.
+            let handle_stat = match layer.getattr(req, real_inode, Some(real_handle), 0).await {
+                Ok(s) => s,
+                Err(_) => return Err(Error::from_raw_os_error(libc::EBADF).into()),
+            };
 
-        let (layer, real_inode, real_handle) = self.find_real_info_from_handle(fh).await?;
-        layer
-            .lseek(req, real_inode, real_handle, offset, whence)
-            .await
+            if !utils::is_dir(&handle_stat.attr.kind) {
+                return Err(Error::from_raw_os_error(libc::ENOTDIR).into());
+            }
+
+            // Handle directory lseek operations according to POSIX standard
+            // This enables seekdir/telldir functionality on directories
+            match whence {
+                // SEEK_SET: Set the directory position to an absolute value
+                x if x == libc::SEEK_SET as u32 => {
+                    // Validate offset bounds to prevent overflow
+                    // Directory offsets should not exceed i64::MAX
+                    if offset > i64::MAX as u64 {
+                        return Err(Error::from_raw_os_error(libc::EINVAL).into());
+                    }
+
+                    // Perform the seek operation on the underlying layer
+                    // Delegate to the lower layer implementation
+                    layer
+                        .lseek(req, real_inode, real_handle, offset, whence)
+                        .await
+                }
+                // SEEK_CUR: Move relative to the current directory position
+                x if x == libc::SEEK_CUR as u32 => {
+                    // Get current position from underlying layer
+                    // This is needed to calculate the new position
+                    let current = match layer
+                        .lseek(req, real_inode, real_handle, 0, libc::SEEK_CUR as u32)
+                        .await
+                    {
+                        Ok(r) => r.offset,
+                        Err(_) => return Err(Error::from_raw_os_error(libc::EINVAL).into()),
+                    };
+
+                    // Check for potential overflow when adding the provided offset
+                    // This prevents invalid position calculations
+                    if let Some(new_offset) = current.checked_add(offset) {
+                        // Ensure the new offset is within valid bounds
+                        if new_offset > i64::MAX as u64 {
+                            return Err(Error::from_raw_os_error(libc::EINVAL).into());
+                        }
+
+                        // Actually set the underlying offset to the new value so behavior
+                        // matches passthrough which uses libc::lseek64 to set the fd offset.
+                        match layer
+                            .lseek(
+                                req,
+                                real_inode,
+                                real_handle,
+                                new_offset,
+                                libc::SEEK_SET as u32,
+                            )
+                            .await
+                        {
+                            Ok(_) => Ok(ReplyLSeek { offset: new_offset }),
+                            Err(_) => Err(Error::from_raw_os_error(libc::EINVAL).into()),
+                        }
+                    } else {
+                        Err(Error::from_raw_os_error(libc::EINVAL).into())
+                    }
+                }
+                // Any other whence value is invalid for directories
+                _ => Err(Error::from_raw_os_error(libc::EINVAL).into()),
+            }
+        } else {
+            // Keep the original lseek behavior for regular files
+            // Delegate directly to the underlying layer
+            let (layer, real_inode, real_handle) = self.find_real_info_from_handle(fh).await?;
+            layer
+                .lseek(req, real_inode, real_handle, offset, whence)
+                .await
+        }
     }
 
     async fn interrupt(&self, _req: Request, _unique: u64) -> Result<()> {
diff --git a/project/libfuse-fs/src/passthrough/async_io.rs b/project/libfuse-fs/src/passthrough/async_io.rs
@@ -80,7 +80,7 @@ impl<S: BitmapSlice + Send + Sync> PassthroughFs<S> {
         // changes the kernel offset while we are using it.
         let (_guard, dir) = data.get_file_mut().await;
 
-        // alloc buff ,pay attention to alian.
+        // Allocate buffer; pay attention to alignment.
         let mut buffer = vec![0u8; BUFFER_SIZE];
 
         // Safe because this doesn't modify any memory and we check the return value.
@@ -180,7 +180,7 @@ impl<S: BitmapSlice + Send + Sync> PassthroughFs<S> {
         // changes the kernel offset while we are using it.
         let (_guard, dir) = data.get_file_mut().await;
 
-        // alloc buff ,pay attention to alian.
+        // Allocate buffer; pay attention to alignment.
         let mut buffer = vec![0u8; BUFFER_SIZE];
 
         // Safe because this doesn't modify any memory and we check the return value.
@@ -1794,21 +1794,89 @@ impl Filesystem for PassthroughFs {
         // Let the Arc<HandleData> in scope, otherwise fd may get invalid.
         let data = self.handle_map.get(fh, inode).await?;
 
-        // Acquire the lock to get exclusive access, otherwise it may break do_readdir().
-        let (_guard, file) = data.get_file_mut().await;
+        // Check file type to determine appropriate lseek handling
+        let st = stat_fd(data.get_file(), None)?;
+        let is_dir = (st.st_mode & libc::S_IFMT) == libc::S_IFDIR;
+
+        if is_dir {
+            // Directory special handling: support SEEK_SET and SEEK_CUR with bounds checks.
+            // Acquire the lock to get exclusive access
+            let (_guard, file) = data.get_file_mut().await;
+
+            // Handle directory lseek operations according to POSIX standard
+            // This enables seekdir/telldir functionality on directories
+            match whence {
+                // SEEK_SET: set directory offset to an absolute value
+                x if x == libc::SEEK_SET as u32 => {
+                    // Validate offset bounds to prevent overflow
+                    // Directory offsets should not exceed i64::MAX
+                    if offset > i64::MAX as u64 {
+                        return Err(io::Error::from_raw_os_error(libc::EINVAL).into());
+                    }
 
-        // Safe because this doesn't modify any memory and we check the return value.
-        let res = unsafe {
-            libc::lseek(
-                file.as_raw_fd(),
-                offset as libc::off64_t,
-                whence as libc::c_int,
-            )
-        };
-        if res < 0 {
-            Err(io::Error::last_os_error().into())
+                    // Perform the seek operation using libc::lseek64
+                    // This directly manipulates the file descriptor's position
+                    let res = unsafe {
+                        libc::lseek64(file.as_raw_fd(), offset as libc::off64_t, libc::SEEK_SET)
+                    };
+                    if res < 0 {
+                        return Err(io::Error::last_os_error().into());
+                    }
+                    Ok(ReplyLSeek { offset: res as u64 })
+                }
+                // SEEK_CUR: move relative to current directory offset
+                x if x == libc::SEEK_CUR as u32 => {
+                    // Get current position using libc::lseek64 with offset 0
+                    let cur = unsafe { libc::lseek64(file.as_raw_fd(), 0, libc::SEEK_CUR) };
+                    if cur < 0 {
+                        return Err(io::Error::last_os_error().into());
+                    }
+                    let current = cur as u64;
+
+                    // Compute new offset safely to prevent arithmetic overflow
+                    if let Some(new_offset) = current.checked_add(offset) {
+                        // Ensure the new offset is within valid bounds
+                        if new_offset > i64::MAX as u64 {
+                            return Err(io::Error::from_raw_os_error(libc::EINVAL).into());
+                        }
+                        // Set the new offset using libc::lseek64
+                        let res = unsafe {
+                            libc::lseek64(
+                                file.as_raw_fd(),
+                                new_offset as libc::off64_t,
+                                libc::SEEK_SET,
+                            )
+                        };
+                        if res < 0 {
+                            return Err(io::Error::last_os_error().into());
+                        }
+                        Ok(ReplyLSeek { offset: new_offset })
+                    } else {
+                        Err(io::Error::from_raw_os_error(libc::EINVAL).into())
+                    }
+                }
+                // Other whence values are invalid for directories (e.g., SEEK_END)
+                _ => Err(io::Error::from_raw_os_error(libc::EINVAL).into()),
+            }
         } else {
-            Ok(ReplyLSeek { offset: res as u64 })
+            // File seek handling for non-directory files
+            // Acquire the lock to get exclusive access, otherwise it may break do_readdir().
+            let (_guard, file) = data.get_file_mut().await;
+
+            // Safe because this doesn't modify any memory and we check the return value.
+            // Use 64-bit seek for regular files to match kernel offsets
+            let res = unsafe {
+                libc::lseek64(
+                    file.as_raw_fd(),
+                    offset as libc::off64_t,
+                    whence as libc::c_int,
+                )
+            };
+            if res < 0 {
+                Err(io::Error::last_os_error().into())
+            } else {
+                Ok(ReplyLSeek { offset: res as u64 })
+            }
         }
     }
 }
