You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using the signed overflow sanitizer with syzkaller produces this UBSAN
report:
[ 31.304043] ------------[ cut here ]------------
[ 31.304048] UBSAN: signed-integer-overflow in ../drivers/tty/vt/vt.c:309:19
[ 31.304055] -2147483648 + -1073741824 cannot be represented in type 'int'
[ 31.304066] CPU: 1 PID: 3894 Comm: syz-executor Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 31.304073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 31.304077] Call Trace:
[ 31.304080] <TASK>
[ 31.304083] dump_stack_lvl+0x93/0xd0
[ 31.304177] handle_overflow+0x171/0x1b0
[ 31.304186] scrollfront+0xcb/0xd0
[ 31.304196] tioclinux+0x3cc/0x450
[ 31.304205] tty_ioctl+0x7fc/0xc00
[ 31.304212] ? __pfx_tty_ioctl+0x10/0x10
[ 31.304219] __se_sys_ioctl+0xe0/0x140
[ 31.304228] do_syscall_64+0xd7/0x1b0
[ 31.304236] ? arch_exit_to_user_mode_prepare+0x11/0x60
[ 31.304244] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 31.304254] RIP: 0033:0x7fc3902ae539
[ 31.304263] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[ 31.304282] RSP: 002b:00007ffc8a457998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 31.304289] RAX: ffffffffffffffda RBX: 00007fc3903e2f80 RCX: 00007fc3902ae539
[ 31.304293] RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000003
[ 31.304297] RBP: 00007fc39030d496 R08: 0000000000000000 R09: 0000000000000000
[ 31.304300] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 31.304304] R13: 0000000000000800 R14: 00007fc3903e2f80 R15: 00007fc3903e2f80
[ 31.304310] </TASK>
[ 31.304371] ---[ end trace ]---
This is caused by the scrollback_delta overflowing. Historically, the
signed integer overflow sanitizer did not work in the kernel due to its
interaction with `-fwrapv` but this has since been changed [1] in the
newest version of Clang; It being re-enabled in the kernel with Commit
557f8c5 ("ubsan: Reintroduce signed overflow sanitizer").
Note that it would be difficult to reproduce this bug in a non-fuzzing
scenario as it requires inputting tons of scroll inputs via keyboard
before the scheduled console callback has had a chance to update.
Nonetheless, let's saturate scrollback_delta so it stays clamped to
integer bounds without wrapping around.
[1]: llvm/llvm-project#82432Closes: KSPP#351
Signed-off-by: Justin Stitt <justinstitt@google.com>
I am sending a patch soon, this issue is for record keeping.
The text was updated successfully, but these errors were encountered: