Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UBSAN: signed-integer-overflow in ../fs/open.c:321:61 #356

Closed
JustinStitt opened this issue May 7, 2024 · 2 comments
Closed

UBSAN: signed-integer-overflow in ../fs/open.c:321:61 #356

JustinStitt opened this issue May 7, 2024 · 2 comments
Assignees
@JustinStitt
Labels
[PATCH] Submitted A patch has been submitted upstream

Comments

@JustinStitt
Copy link
Collaborator

JustinStitt commented May 7, 2024
edited

two spots col 15 and col 61

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014                                                                       [0/634]
[  195.425804] Call Trace:                                                                   
[  195.427360]  <TASK>      
[  195.428791]  dump_stack_lvl+0x93/0xd0                                                     
[  195.431150]  handle_overflow+0x171/0x1b0                                                  
[  195.433640]  vfs_fallocate+0x459/0x4f0
[  195.435997]  __x64_sys_fallocate+0xb2/0xf0
[  195.438499]  do_syscall_64+0xd7/0x1b0                                                     
[  195.440804]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[  195.443983]  entry_SYSCALL_64_after_hwframe+0x6f/0x77                                     
[  195.447056] RIP: 0033:0x7f2c76430539                                                      
[  195.449324] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[  195.460344] RSP: 002b:00007ffe905d4be8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d        
[  195.464881] RAX: ffffffffffffffda RBX: 00007f2c76564f80 RCX: 00007f2c76430539             
[  195.469165] RDX: 7fffffffffffffff RSI: 0000000000000010 RDI: 0000000000000003             
[  195.473481] RBP: 00007f2c7648f496 R08: 0000000000000000 R09: 0000000000000000                                                                                                          
[  195.477784] R10: 0002000807fffff7 R11: 0000000000000246 R12: 0000000000000000                                                                                                          
[  195.482076] R13: 00000000000000d8 R14: 00007f2c76564f80 R15: 00007f2c76564f80        
[  195.486331]  </TASK>                 
[  195.487993] ---[ end trace ]---                                                                                                                                                        
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61                                                                                                                      
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')                                                                             
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11                                                                                   
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014                                                                              
[  195.514075] Call Trace:                                                                                                                                                                
[  195.515636]  <TASK>                                                                                                                                                                    
[  195.517000]  dump_stack_lvl+0x93/0xd0                                                                                                                                                  
[  195.519255]  handle_overflow+0x171/0x1b0                                                                                                                                               
[  195.521677]  vfs_fallocate+0x4cb/0x4f0                                                                                                                                                 
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0                                                                                                                                             
[  195.526529]  do_syscall_64+0xd7/0x1b0                                                                                                                                                  
[  195.528814]  ? arch_exit_to_user_mode_prepare+0x11/0x60                                                                                                                                
[  195.531996]  entry_SYSCALL_64_after_hwframe+0x6f/0x77                                                                                                                                  
[  195.535057] RIP: 0033:0x7f2c76430539                                                                                                                                                   
[  195.537314] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[  195.548522] RSP: 002b:00007ffe905d4be8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d                                                                                                     
[  195.553089] RAX: ffffffffffffffda RBX: 00007f2c76564f80 RCX: 00007f2c76430539                                                                                                          
[  195.557334] RDX: 7fffffffffffffff RSI: 0000000000000010 RDI: 0000000000000003                                                                                                          
[  195.561613] RBP: 00007f2c7648f496 R08: 0000000000000000 R09: 0000000000000000                                                                                                          
[  195.565890] R10: 0002000807fffff7 R11: 0000000000000246 R12: 0000000000000000                                                                                                          
[  195.570176] R13: 00000000000000d8 R14: 00007f2c76564f80 R15: 00007f2c76564f80                                                                                                          
[  195.574428]  </TASK>                                                                                                                                                                   
[  195.576060] ---[ end trace ]---
@JustinStitt JustinStitt self-assigned this May 7, 2024
@JustinStitt
Copy link
Collaborator Author

patch: https://lore.kernel.org/r/20240507-b4-sio-vfs_fallocate-v1-1-322f84b97ad5@google.com

@JustinStitt JustinStitt added the [PATCH] Submitted A patch has been submitted upstream label May 7, 2024
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue May 8, 2024
@intel-lab-lkp
fs: remove accidental overflow during wraparound check
a59aa5f 
Running syzkaller with the newly enabled signed integer overflow
sanitizer produces this report:

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty torvalds#11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.425804] Call Trace:
[  195.427360]  <TASK>
[  195.428791]  dump_stack_lvl+0x93/0xd0
[  195.431150]  handle_overflow+0x171/0x1b0
[  195.433640]  vfs_fallocate+0x459/0x4f0
...
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long)
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty torvalds#11
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.514075] Call Trace:
[  195.515636]  <TASK>
[  195.517000]  dump_stack_lvl+0x93/0xd0
[  195.519255]  handle_overflow+0x171/0x1b0
[  195.521677]  vfs_fallocate+0x4cb/0x4f0
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow
sanitizer").

Let's use the check_add_overflow helper to first verify the addition
stays within the bounds of its type (long long); then we can use that
sum for the following check.

Link: llvm/llvm-project#82432 [1]
Closes: KSPP#356
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com>
@JustinStitt
Copy link
Collaborator Author

Applied to a tree, closing issue: https://lore.kernel.org/all/20240515-rentier-abwinken-f9c282783235@brauner/

brauner pushed a commit to brauner/linux that referenced this issue May 24, 2024
@brauner
fs: remove accidental overflow during wraparound check
7ddee8b 
Running syzkaller with the newly enabled signed integer overflow
sanitizer produces this report:

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.425804] Call Trace:
[  195.427360]  <TASK>
[  195.428791]  dump_stack_lvl+0x93/0xd0
[  195.431150]  handle_overflow+0x171/0x1b0
[  195.433640]  vfs_fallocate+0x459/0x4f0
...
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long)
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.514075] Call Trace:
[  195.515636]  <TASK>
[  195.517000]  dump_stack_lvl+0x93/0xd0
[  195.519255]  handle_overflow+0x171/0x1b0
[  195.521677]  vfs_fallocate+0x4cb/0x4f0
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow
sanitizer").

Let's use the check_add_overflow helper to first verify the addition
stays within the bounds of its type (long long); then we can use that
sum for the following check.

Link: llvm/llvm-project#82432 [1]
Closes: KSPP/linux#356
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240513-b4-sio-vfs_fallocate-v2-1-db415872fb16@google.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
1054009064 pushed a commit to 1054009064/linux that referenced this issue May 28, 2024
@brauner
fs: remove accidental overflow during wraparound check
457e132 
Running syzkaller with the newly enabled signed integer overflow
sanitizer produces this report:

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty torvalds#11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.425804] Call Trace:
[  195.427360]  <TASK>
[  195.428791]  dump_stack_lvl+0x93/0xd0
[  195.431150]  handle_overflow+0x171/0x1b0
[  195.433640]  vfs_fallocate+0x459/0x4f0
...
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long)
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty torvalds#11
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.514075] Call Trace:
[  195.515636]  <TASK>
[  195.517000]  dump_stack_lvl+0x93/0xd0
[  195.519255]  handle_overflow+0x171/0x1b0
[  195.521677]  vfs_fallocate+0x4cb/0x4f0
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow
sanitizer").

Let's use the check_add_overflow helper to first verify the addition
stays within the bounds of its type (long long); then we can use that
sum for the following check.

Link: llvm/llvm-project#82432 [1]
Closes: KSPP#356
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240513-b4-sio-vfs_fallocate-v2-1-db415872fb16@google.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
brauner pushed a commit to brauner/linux that referenced this issue Jun 10, 2024
@brauner
fs: remove accidental overflow during wraparound check
23cc6ef 
Running syzkaller with the newly enabled signed integer overflow
sanitizer produces this report:

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.425804] Call Trace:
[  195.427360]  <TASK>
[  195.428791]  dump_stack_lvl+0x93/0xd0
[  195.431150]  handle_overflow+0x171/0x1b0
[  195.433640]  vfs_fallocate+0x459/0x4f0
...
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long)
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.514075] Call Trace:
[  195.515636]  <TASK>
[  195.517000]  dump_stack_lvl+0x93/0xd0
[  195.519255]  handle_overflow+0x171/0x1b0
[  195.521677]  vfs_fallocate+0x4cb/0x4f0
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow
sanitizer").

Let's use the check_add_overflow helper to first verify the addition
stays within the bounds of its type (long long); then we can use that
sum for the following check.

Link: llvm/llvm-project#82432 [1]
Closes: KSPP/linux#356
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240513-b4-sio-vfs_fallocate-v2-1-db415872fb16@google.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JustinStitt JustinStitt

Labels
[PATCH] Submitted A patch has been submitted upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JustinStitt