search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

UBSAN: signed-integer-overflow in ../fs/open.c:321:61 #356

Closed JustinStitt closed 1 month ago

JustinStitt commented 2 months ago

two spots col 15 and col 61

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014                                                                       [0/634]
[  195.425804] Call Trace:                                                                   
[  195.427360]  <TASK>      
[  195.428791]  dump_stack_lvl+0x93/0xd0                                                     
[  195.431150]  handle_overflow+0x171/0x1b0                                                  
[  195.433640]  vfs_fallocate+0x459/0x4f0
[  195.435997]  __x64_sys_fallocate+0xb2/0xf0
[  195.438499]  do_syscall_64+0xd7/0x1b0                                                     
[  195.440804]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[  195.443983]  entry_SYSCALL_64_after_hwframe+0x6f/0x77                                     
[  195.447056] RIP: 0033:0x7f2c76430539                                                      
[  195.449324] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[  195.460344] RSP: 002b:00007ffe905d4be8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d        
[  195.464881] RAX: ffffffffffffffda RBX: 00007f2c76564f80 RCX: 00007f2c76430539             
[  195.469165] RDX: 7fffffffffffffff RSI: 0000000000000010 RDI: 0000000000000003             
[  195.473481] RBP: 00007f2c7648f496 R08: 0000000000000000 R09: 0000000000000000                                                                                                          
[  195.477784] R10: 0002000807fffff7 R11: 0000000000000246 R12: 0000000000000000                                                                                                          
[  195.482076] R13: 00000000000000d8 R14: 00007f2c76564f80 R15: 00007f2c76564f80        
[  195.486331]  </TASK>                 
[  195.487993] ---[ end trace ]---                                                                                                                                                        
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61                                                                                                                      
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')                                                                             
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11                                                                                   
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014                                                                              
[  195.514075] Call Trace:                                                                                                                                                                
[  195.515636]  <TASK>                                                                                                                                                                    
[  195.517000]  dump_stack_lvl+0x93/0xd0                                                                                                                                                  
[  195.519255]  handle_overflow+0x171/0x1b0                                                                                                                                               
[  195.521677]  vfs_fallocate+0x4cb/0x4f0                                                                                                                                                 
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0                                                                                                                                             
[  195.526529]  do_syscall_64+0xd7/0x1b0                                                                                                                                                  
[  195.528814]  ? arch_exit_to_user_mode_prepare+0x11/0x60                                                                                                                                
[  195.531996]  entry_SYSCALL_64_after_hwframe+0x6f/0x77                                                                                                                                  
[  195.535057] RIP: 0033:0x7f2c76430539                                                                                                                                                   
[  195.537314] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[  195.548522] RSP: 002b:00007ffe905d4be8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d                                                                                                     
[  195.553089] RAX: ffffffffffffffda RBX: 00007f2c76564f80 RCX: 00007f2c76430539                                                                                                          
[  195.557334] RDX: 7fffffffffffffff RSI: 0000000000000010 RDI: 0000000000000003                                                                                                          
[  195.561613] RBP: 00007f2c7648f496 R08: 0000000000000000 R09: 0000000000000000                                                                                                          
[  195.565890] R10: 0002000807fffff7 R11: 0000000000000246 R12: 0000000000000000                                                                                                          
[  195.570176] R13: 00000000000000d8 R14: 00007f2c76564f80 R15: 00007f2c76564f80                                                                                                          
[  195.574428]  </TASK>                                                                                                                                                                   
[  195.576060] ---[ end trace ]---
JustinStitt commented 2 months ago

patch: https://lore.kernel.org/r/20240507-b4-sio-vfs_fallocate-v1-1-322f84b97ad5@google.com

JustinStitt commented 1 month ago

Applied to a tree, closing issue: https://lore.kernel.org/all/20240515-rentier-abwinken-f9c282783235@brauner/