* (no subject)
[not found] <bug-200209-27@https.bugzilla.kernel.org/>
@ 2018-06-28 3:48 ` Andrew Morton
2018-06-29 18:44 ` Andrey Ryabinin
2018-06-29 18:44 ` [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint Andrey Ryabinin
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2018-06-28 3:48 UTC (permalink / raw)
To: icytxw
Cc: bugzilla-daemon, linux-mm, Andrey Ryabinin, Alexander Potapenko,
Dmitry Vyukov
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Fri, 22 Jun 2018 23:37:27 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=200209
>
> Bug ID: 200209
> Summary: UBSAN: Undefined behaviour in mm/fadvise.c:LINE
> Product: Memory Management
> Version: 2.5
> Kernel Version: v4.18-rc2
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Page Allocator
> Assignee: akpm@linux-foundation.org
> Reporter: icytxw@gmail.com
> Regression: No
>
> Hi,
> This bug was found in Linux Kernel v4.18-rc2
>
> $ cat report0
> ================================================================================
> UBSAN: Undefined behaviour in mm/fadvise.c:76:10
> signed integer overflow:
> 4 + 9223372036854775805 cannot be represented in type 'long long int'
> CPU: 0 PID: 13477 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x122/0x1c8 lib/dump_stack.c:113
> ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
> handle_overflow+0x1c2/0x21f lib/ubsan.c:190
> __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
> ksys_fadvise64_64+0xbf0/0xd10 mm/fadvise.c:76
> __do_sys_fadvise64 mm/fadvise.c:198 [inline]
> __se_sys_fadvise64 mm/fadvise.c:196 [inline]
> __x64_sys_fadvise64+0xa9/0x120 mm/fadvise.c:196
> do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
That overflow is deliberate:
endbyte = offset + len;
if (!len || endbyte < len)
endbyte = -1;
else
endbyte--; /* inclusive */
Or is there a hole in this logic?
If not, I guess ee can do this another way to keep the checker happy.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re:
2018-06-28 3:48 ` Andrew Morton
@ 2018-06-29 18:44 ` Andrey Ryabinin
2018-06-29 18:44 ` [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint Andrey Ryabinin
1 sibling, 0 replies; 4+ messages in thread
From: Andrey Ryabinin @ 2018-06-29 18:44 UTC (permalink / raw)
To: Andrew Morton, icytxw
Cc: bugzilla-daemon, linux-mm, Alexander Potapenko, Dmitry Vyukov
On 06/28/2018 06:48 AM, Andrew Morton wrote:
>> Hi,
>> This bug was found in Linux Kernel v4.18-rc2
>>
>> $ cat report0
>> ================================================================================
>> UBSAN: Undefined behaviour in mm/fadvise.c:76:10
>> signed integer overflow:
>> 4 + 9223372036854775805 cannot be represented in type 'long long int'
>> CPU: 0 PID: 13477 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x122/0x1c8 lib/dump_stack.c:113
>> ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
>> handle_overflow+0x1c2/0x21f lib/ubsan.c:190
>> __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
>> ksys_fadvise64_64+0xbf0/0xd10 mm/fadvise.c:76
>> __do_sys_fadvise64 mm/fadvise.c:198 [inline]
>> __se_sys_fadvise64 mm/fadvise.c:196 [inline]
>> __x64_sys_fadvise64+0xa9/0x120 mm/fadvise.c:196
>> do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
>
> That overflow is deliberate:
>
> endbyte = offset + len;
> if (!len || endbyte < len)
> endbyte = -1;
> else
> endbyte--; /* inclusive */
>
> Or is there a hole in this logic?
>
> If not, I guess ee can do this another way to keep the checker happy.
It should be enough to make overflow unsigned. Unsigned overflow is defined by the C standard.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint
2018-06-28 3:48 ` Andrew Morton
2018-06-29 18:44 ` Andrey Ryabinin
@ 2018-06-29 18:44 ` Andrey Ryabinin
2018-06-30 1:37 ` Andrew Morton
1 sibling, 1 reply; 4+ messages in thread
From: Andrey Ryabinin @ 2018-06-29 18:44 UTC (permalink / raw)
To: Andrew Morton
Cc: icytxw, Alexander Potapenko, Dmitry Vyukov, linux-mm,
linux-kernel, Andrey Ryabinin
Signed integer overflow is undefined according to the C standard.
The overflow in ksys_fadvise64_64() is deliberate, but since it is signed
overflow, UBSAN complains:
UBSAN: Undefined behaviour in mm/fadvise.c:76:10
signed integer overflow:
4 + 9223372036854775805 cannot be represented in type 'long long int'
Use unsigned types to do math. Unsigned overflow is defined so UBSAN
will not complain about it. This patch doesn't change generated code.
Reported-by: <icytxw@gmail.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
mm/fadvise.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/fadvise.c b/mm/fadvise.c
index afa41491d324..1eaf2002d79a 100644
--- a/mm/fadvise.c
+++ b/mm/fadvise.c
@@ -73,7 +73,7 @@ int ksys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
}
/* Careful about overflows. Len == 0 means "as much as possible" */
- endbyte = offset + len;
+ endbyte = (u64)offset + (u64)len;
if (!len || endbyte < len)
endbyte = -1;
else
--
2.16.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint
2018-06-29 18:44 ` [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint Andrey Ryabinin
@ 2018-06-30 1:37 ` Andrew Morton
0 siblings, 0 replies; 4+ messages in thread
From: Andrew Morton @ 2018-06-30 1:37 UTC (permalink / raw)
To: Andrey Ryabinin
Cc: icytxw, Alexander Potapenko, Dmitry Vyukov, linux-mm, linux-kernel
On Fri, 29 Jun 2018 21:44:53 +0300 Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
> Signed integer overflow is undefined according to the C standard.
> The overflow in ksys_fadvise64_64() is deliberate, but since it is signed
> overflow, UBSAN complains:
> UBSAN: Undefined behaviour in mm/fadvise.c:76:10
> signed integer overflow:
> 4 + 9223372036854775805 cannot be represented in type 'long long int'
>
> Use unsigned types to do math. Unsigned overflow is defined so UBSAN
> will not complain about it. This patch doesn't change generated code.
>
> ...
>
> --- a/mm/fadvise.c
> +++ b/mm/fadvise.c
> @@ -73,7 +73,7 @@ int ksys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
> }
>
> /* Careful about overflows. Len == 0 means "as much as possible" */
> - endbyte = offset + len;
> + endbyte = (u64)offset + (u64)len;
> if (!len || endbyte < len)
> endbyte = -1;
> else
Readers of this code will wonder "what the heck are those casts for".
Therefore:
--- a/mm/fadvise.c~mm-fadvise-fix-signed-overflow-ubsan-complaint-fix
+++ a/mm/fadvise.c
@@ -72,7 +72,11 @@ int ksys_fadvise64_64(int fd, loff_t off
goto out;
}
- /* Careful about overflows. Len == 0 means "as much as possible" */
+ /*
+ * Careful about overflows. Len == 0 means "as much as possible". Use
+ * unsigned math because signed overflows are undefined and UBSan
+ * complains.
+ */
endbyte = (u64)offset + (u64)len;
if (!len || endbyte < len)
endbyte = -1;
_
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-30 1:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-200209-27@https.bugzilla.kernel.org/>
2018-06-28 3:48 ` Andrew Morton
2018-06-29 18:44 ` Andrey Ryabinin
2018-06-29 18:44 ` [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint Andrey Ryabinin
2018-06-30 1:37 ` Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox