Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UBSAN: signed-integer-overflow in ../fs/libfs.c:149:11 #359

Open
JustinStitt opened this issue May 9, 2024 · 1 comment
Open

UBSAN: signed-integer-overflow in ../fs/libfs.c:149:11 #359

JustinStitt opened this issue May 9, 2024 · 1 comment
Assignees
@JustinStitt
Labels
[PATCH] Submitted A patch has been submitted upstream

Comments

@JustinStitt
Copy link
Collaborator

JustinStitt commented May 9, 2024
edited
Loading 

[ 6008.461516] ------------[ cut here ]------------
[ 6008.464680] UBSAN: signed-integer-overflow in ../fs/libfs.c:149:11
[ 6008.468664] 9223372036854775807 + 16387 cannot be represented in type 'loff_t' (aka 'long long')
[ 6008.474167] CPU: 1 PID: 1214 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00041-gec7cb1052e44-dirty #15
[ 6008.479662] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 6008.485276] Call Trace:
[ 6008.486819]  <TASK>
[ 6008.488258]  dump_stack_lvl+0x93/0xd0
[ 6008.490535]  handle_overflow+0x171/0x1b0
[ 6008.492957]  dcache_dir_lseek+0x3bf/0x3d0
[ 6008.495455]  ? mutex_lock+0x4b/0x90
[ 6008.497626]  __x64_sys_lseek+0x150/0x1b0
[ 6008.500035]  do_syscall_64+0xd7/0x1b0
[ 6008.502294]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[ 6008.505479]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 6008.508531] RIP: 0033:0x7feadbaf6539
[ 6008.510736] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[ 6008.521796] RSP: 002b:00007ffcf6fbe278 EFLAGS: 00000246 ORIG_RAX: 0000000000000008
[ 6008.526359] RAX: ffffffffffffffda RBX: 00007feadbc2af80 RCX: 00007feadbaf6539
[ 6008.530637] RDX: 0000000000000001 RSI: 7fffffffffffffff RDI: 0000000000000003
[ 6008.534919] RBP: 00007feadbb55496 R08: 0000000000000000 R09: 0000000000000000
[ 6008.539216] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 6008.543455] R13: 00000000000009e7 R14: 00007feadbc2af80 R15: 00007feadbc2af80
[ 6008.547714]  </TASK>
[ 6008.549334] ---[ end trace ]---
@JustinStitt JustinStitt self-assigned this May 9, 2024
@JustinStitt
Copy link
Collaborator Author

[PATCH] libfs: fix accidental overflow in offset calculation

@JustinStitt JustinStitt added the [PATCH] Submitted A patch has been submitted upstream label May 10, 2024
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue May 10, 2024
@intel-lab-lkp
libfs: fix accidental overflow in offset calculation
4eb95f4 
Running syzkaller with the newly reintroduced signed integer overflow
sanitizer gives this report:

[ 6008.464680] UBSAN: signed-integer-overflow in ../fs/libfs.c:149:11
[ 6008.468664] 9223372036854775807 + 16387 cannot be represented in type 'loff_t' (aka 'long long')
[ 6008.474167] CPU: 1 PID: 1214 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00041-gec7cb1052e44-dirty torvalds#15
[ 6008.479662] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 6008.485276] Call Trace:
[ 6008.486819]  <TASK>
[ 6008.488258]  dump_stack_lvl+0x93/0xd0
[ 6008.490535]  handle_overflow+0x171/0x1b0
[ 6008.492957]  dcache_dir_lseek+0x3bf/0x3d0
...

Use the check_add_overflow() helper to gracefully check for
unintentional overflow causing wraparound in our offset calculations.

Link: llvm/llvm-project#82432 [1]
Closes: KSPP#359
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JustinStitt JustinStitt

Labels
[PATCH] Submitted A patch has been submitted upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JustinStitt