Hi Ludo, On Fri, 25 Sep 2020 18:02:54 +0200 Ludovic Courtès wrote: > What are the odds of a build succeeding in the presence of broken > getdents/readdir? Wouldn’t such builds simply fail (as in the CMake > case), as opposed to succeeding but somehow producing invalid binaries? I don't know what hashing mechanism ext4 uses, but I guess the odds are not that high IF THE DIRECTORY IS RANDOM. If it's crafted by a malicious person, all bets are off. However, notice that glibc can only fail out of readdir once it gets an *actual* value >= 2**32. It's totally possible in principle to have a directory with 200 entries, the first 100 of which have d_off < 2**32, and the 101st has d_off >= 2**32. Readdir will only stop after having given back 100 entries to the caller. The caller most likely will process those 100 entries. That's it, you've just forgotten to install/copy/read/whatever half the files. Technically the caller could examine errno to find out that something bad happened while using readdir, but odds are that they don't (I haven't seen anyone do that in my entire career)--and also the error code they are using is undocumented[1]. So even a person who would check wouldn't expect this error value (errno == EOVERFLOW). In short, it won't work in practice. > We can still disabled emulated builds on ci.guix.gnu.org, but let’s > first make sure we understand the practical impact of this bug. We need non-emulated builds to compare. If a real ARM machine uses substitutes for anything, it probably picks up now-untrustworthy builds made by x86_64 for ARM and builds on top of those. Or don't they use substitutes? In that case everything would be OK-ish. Otherwise huge mess... [1] "man getdents64" does not list EOVERFLOW--at least not for me.