search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
83 stars 5 forks source link

UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 #355

Closed JustinStitt closed 1 month ago

JustinStitt commented 6 months ago 
[  366.012589] ------------[ cut here ]------------
[  366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
[  366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
[  366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
[  366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[  366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  366.027518] Call Trace:
[  366.027523]  <TASK>
[  366.027533]  dump_stack_lvl+0x93/0xd0
[  366.027899]  handle_overflow+0x171/0x1b0
[  366.038787] ata1.00: invalid multi_count 32 ignored
[  366.043924]  cdrom_ioctl+0x2c3f/0x2d10
[  366.063932]  ? __pm_runtime_resume+0xe6/0x130
[  366.071923]  sr_block_ioctl+0x15d/0x1d0
[  366.074624]  ? __pfx_sr_block_ioctl+0x10/0x10
[  366.077642]  blkdev_ioctl+0x419/0x500
[  366.080231]  ? __pfx_blkdev_ioctl+0x10/0x10
[  366.082992]  __se_sys_ioctl+0xdd/0x140
[  366.085637]  do_syscall_64+0xd4/0x1b0
[  366.088090]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[  366.091615]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[  366.094925] RIP: 0033:0x7f6e5ce52539
[  366.097327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  366.108808] RSP: 002b:00007f6e5c1ea0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  366.113542] RAX: ffffffffffffffda RBX: 00007f6e5cf86f80 RCX: 00007f6e5ce52539
[  366.117983] RDX: 0000000020000240 RSI: 0000000000005396 RDI: 0000000000000003
[  366.122469] RBP: 00007f6e5ceb1496 R08: 0000000000000000 R09: 0000000000000000
[  366.126878] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  366.131294] R13: 0000000000000002 R14: 00007f6e5cf86f80 R15: 00007fff7cf4b128
[  366.135819]  </TASK>
[  366.137514] ---[ end trace ]---
JustinStitt commented 6 months ago

patch: https://lore.kernel.org/r/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com

JustinStitt commented 1 month ago

closing this (and other overflow issues) because they're just polluting the issue tracker and we have a plan to resolve many of these with toolchain features.