search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

UBSAN: signed-integer-overflow in ../fs/read_write.c:91:10 #358

Open JustinStitt opened 2 months ago

JustinStitt commented 2 months ago 
[   67.991989] ------------[ cut here ]------------
[   67.995501] UBSAN: signed-integer-overflow in ../fs/read_write.c:91:10
[   68.000067] 9223372036854775807 + 4096 cannot be represented in type 'loff_t' (aka 'long long')
[   68.006266] CPU: 4 PID: 10851 Comm: syz-executor.5 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   68.012353] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   68.018983] Call Trace:
[   68.020803]  <TASK>
[   68.022540]  dump_stack_lvl+0x93/0xd0
[   68.025222]  handle_overflow+0x171/0x1b0
[   68.028053]  generic_file_llseek_size+0x35b/0x380
[   68.031298]  ? generic_file_llseek+0x25/0xd0
[   68.034350]  kernfs_fop_llseek+0x12c/0x170
[   68.037312]  __x64_sys_lseek+0x14d/0x1b0
[   68.040091]  do_syscall_64+0xd4/0x1b0
[   68.042751]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[   68.046454]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   68.046471] RIP: 0033:0x7f305def5539
[   68.046477] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   68.046498] RSP: 002b:00007f305d28d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000008
[   68.046508] RAX: ffffffffffffffda RBX: 00007f305e029f80 RCX: 00007f305def5539
[   68.046514] RDX: 0000000000000002 RSI: 7fffffffffffffff RDI: 0000000000000003
[   68.046518] RBP: 00007f305df54496 R08: 0000000000000000 R09: 0000000000000000
[   68.046523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   68.046528] R13: 0000000000000002 R14: 00007f305e029f80 R15: 00007ffe726866f8
[   68.046543]  </TASK>
[   68.046746] ---[ end trace ]---
[   68.956760] 9pnet_fd: Insufficient options for proto=fd
[   68.979618] 9pnet_fd: Insufficient options for proto=fd
[   68.990464] 9pnet_fd: Insufficient options for proto=fd
JustinStitt commented 1 month ago

~[PATCH] fs: fix unintentional arithmetic wraparound in offset calculation~

JustinStitt commented 1 month ago

Looks like there's another instance in the same file: 

[   50.998938] UBSAN: signed-integer-overflow in ../fs/read_write.c:108:41
[   51.009811] 4 + 9223372036854775807 cannot be represented in type 'loff_t' (aka 'long long')
[   51.009823] CPU: 0 PID: 7003 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   51.009838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   51.033007] Call Trace:
[   51.035388]  <TASK>
[   51.037352]  dump_stack_lvl+0x93/0xd0
[   51.040482]  handle_overflow+0x171/0x1b0
[   51.044130]  generic_file_llseek_size+0x377/0x380
[   51.048246]  __x64_sys_lseek+0x14d/0x1b0
[   51.051659]  do_syscall_64+0xd4/0x1b0
[   51.054889]  ? arch_exit_to_user_mode_prepare+0x11/0x60
[   51.059595]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   51.064031] RIP: 0033:0x7f3a5c75c539
[   51.067312] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   51.080035] RSP: 002b:00007f3a5baf40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000008
[   51.084867] RAX: ffffffffffffffda RBX: 00007f3a5c890f80 RCX: 00007f3a5c75c539
[   51.089767] RDX: 0000000000000001 RSI: 7fffffffffffffff RDI: 0000000000000003
[   51.094546] RBP: 00007f3a5c7bb496 R08: 0000000000000000 R09: 0000000000000000
[   51.099230] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   51.104080] R13: 0000000000000002 R14: 00007f3a5c890f80 R15: 00007fffdd89eb28
[   51.109259]  </TASK>
[   51.112629] ---[ end trace ]---

I'll send a v2 shortly addressing this newly found instance.

JustinStitt commented 1 month ago

And another!

UBSAN: signed-integer-overflow in ../fs/read_write.c:1666:11
9223372036854775807 - -9223231299366420479 cannot be represented in type 'loff_t' (aka 'long long')
CPU: 5 PID: 23543 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x93/0xd0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 handle_overflow+0x171/0x1b0 lib/ubsan.c:248
 generic_write_check_limits fs/read_write.c:1666 [inline]
 generic_copy_file_checks fs/read_write.c:1464 [inline]
...

... and here

UBSAN: signed-integer-overflow in ../fs/read_write.c:1657:12
142606336 - -9223372036854775807 cannot be represented in type 'loff_t' (aka 'long long')
CPU: 7 PID: 18813 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x93/0xd0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 handle_overflow+0x171/0x1b0 lib/ubsan.c:248
 generic_write_check_limits fs/read_write.c:1657 [inline]
 generic_copy_file_checks fs/read_write.c:1464 [inline]
...
JustinStitt commented 1 month ago

v3: https://lore.kernel.org/all/20240517-b4-sio-read_write-v3-1-f180df0a19e6@google.com/