From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE8F9C54798 for ; Fri, 1 Mar 2024 03:39:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 71CFA6B0099; Thu, 29 Feb 2024 22:39:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6CDC56B009B; Thu, 29 Feb 2024 22:39:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 595046B009D; Thu, 29 Feb 2024 22:39:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 45FD66B0099 for ; Thu, 29 Feb 2024 22:39:10 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 1354E1A042F for ; Fri, 1 Mar 2024 03:39:10 +0000 (UTC) X-FDA: 81847064460.29.1D82DC8 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) by imf17.hostedemail.com (Postfix) with ESMTP id 7CCD140013 for ; Fri, 1 Mar 2024 03:39:08 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=AfjHlkhV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of samsun1006219@gmail.com designates 209.85.218.51 as permitted sender) smtp.mailfrom=samsun1006219@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709264348; a=rsa-sha256; cv=none; b=3DSVjT9PuS1DOP6Ft/Nz7YPGZwlYLHjj/clecn49aGiQfrHGM0+FB3JcDBTEg4PLZA+nYB EPeeqH6Rwfg0TkHV3+pUW4AMSwvrg2Jl5muxo60biP3sJGtdYJd6zJ6t6AsQPtYIivdhPm FO029EOkFtJnWkmVJAt4OfWE8Ssb3fs= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=AfjHlkhV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of samsun1006219@gmail.com designates 209.85.218.51 as permitted sender) smtp.mailfrom=samsun1006219@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709264348; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=7IGinJXxgPwUr1hrvOMh7nUUHqcTFudANJxn+SiX23E=; b=rGrm9L7gaDtJ/ftqlWH54oQOHzcVdDTSq2q3PI0GJDBnInYOz131BywcE9Cvds/G4JWaRH GJT+J1lg5O2bj6+AI5tjw4RgIusVUrLu66MoxEvyBn1XSQIKU1zKNzLZuvVSuL2FRjQlra mhaoA7hV9WjA86gG6g+viC8c8rYWxOs= Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-a4467d570cdso105200266b.3 for ; Thu, 29 Feb 2024 19:39:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709264347; x=1709869147; darn=kvack.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=7IGinJXxgPwUr1hrvOMh7nUUHqcTFudANJxn+SiX23E=; b=AfjHlkhVFA6WVmtNHJKnXPZcVRBh/a0r2NKGkAjtzkQZhOMnZYEgA9/0CXXBKMT5UH GyPkv/HbnTPzziUGHcKHVIVpGp2hzMd7/tzxX/7a4Fr2QKtNX9Ji2G7xN58TXwGxjTw4 mNB9jAsvxK9RMBtfBBKRNZmrEl1iahXzi1s90cOEb5rgRNv8H1ZWeIoRmLSaQ0RZKt64 H8fZ2MTVhuH7Xd1efMLzfLjGgi2isp1hZNyDt12YQn0aMkJ/Z7PWLjyUr+OiBbOa+aei 7MdXgaUentEToKLhzXZfLBG4hNLV7OAOY24BxYjt4W+E3z4VgDqIShCn3w87oaei/2t0 JAjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709264347; x=1709869147; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=7IGinJXxgPwUr1hrvOMh7nUUHqcTFudANJxn+SiX23E=; b=TJ0RSSw9Xxpof9/kXsgvDKdWVJuQy8YRyOrGDciI4u4t9tW9Y6bVhaBosjRR+5f1GI IGSqsJxyROhsijVrFxkdnlD5c22KY23u+9VmFhlNU7cMDeOTsIuSXq4yyEcV4m/01W7M SDmJG7AzM0krSJ2uB0B/l7ZfteuVDWOeTpmAylE35krgzO7GFNo0m3xGTJI6Lk1f9piw ffF9n04EfsmcoDI8IbsxkKf7+lc+rs7lYdmcrEyAvIdlnp/s8MDrrb7Gvq+3l6ssF24H WM8eCHlIxzlQeajGWi2TuER0Z0KDTSq0Cop+3Bv5NrhsR0roaCoI/BWoq4sejhVEpzJL uYrQ== X-Forwarded-Encrypted: i=1; AJvYcCUe+LOxbH5sk/29gQTytDQgA+LlK+uk7IV4hmvu+zkoz1Vw3Vh0EVmgdPywgoU7IdEx0COgylN9FTBqML6tDjjKkEI= X-Gm-Message-State: AOJu0Yxm0dYv6XscS4hG2sPVxW8z0c/DbNgxkIk1aJ8HkMbhPCVWOae6 WcY2TyBXADnjykBb/UHJapFotxflIpXjaGkjh6r1JTtJ1lcmHEqO9h0g4H1qJGyHLXzrw75huSA /6yjmhKRVw7+3SQ5zzn4nwn5Leew= X-Google-Smtp-Source: AGHT+IFRQ+OX0vfyZyFvQRVu0jjqfXXaWCwaCtHl72z/kyu+M0yHsY649j5syqdwu7h7Lt9ULzQdxwnQVGgzTLtWfkw= X-Received: by 2002:a17:906:cd03:b0:a44:11c4:a17d with SMTP id oz3-20020a170906cd0300b00a4411c4a17dmr422220ejb.6.1709264346776; Thu, 29 Feb 2024 19:39:06 -0800 (PST) MIME-Version: 1.0 From: Sam Sun Date: Fri, 1 Mar 2024 11:38:55 +0800 Message-ID: Subject: [Linux Kernel Bug] UBSAN: shift-out-of-bounds in fault_around_bytes_set To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org Cc: syzkaller@googlegroups.com Content-Type: multipart/alternative; boundary="0000000000003788480612911ebf" X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 7CCD140013 X-Stat-Signature: tgkpy6tash4fpkuciokat3j4otcehrkm X-HE-Tag: 1709264348-657953 X-HE-Meta: U2FsdGVkX197dHLwg/q22I4vjeF5fJnXu20J0CAPlDJMRtVuypiBs+2GGTWY4/LqnHqC7UbrtLeRv/Xa61KbktmpY5d+87DKqXa0Mz5e/o3cjy6vArC+A8zRRwUC0+2ZI97Y98D2LgM5ePvelicVvb9drtILvTyWr8Ip6ZlFpq51HYxgnqtNnqQN10ovVL+v/Paq52i025EaucxRRyA66VV3myVcYyTNmpUfsiPQyxn4VZBs/nyafgaU+/MBgWCNwAhCqQbxZ7BkfvdAgD+JLJIVugGwN/tVqiybJ2XmtxlRPUOpSEUczCVpP/o3Dja9iOMKapT0QZ3g7T4OhrPWrHEttdI8miTJlgwUqno24BljjPlQHf8I5wVuHIyv/pkxGlif5ZLIP3AS55si7kLWuEXfhsJA806nfgK2kWch5t6XQIk+7SJhgNWY1ZqBQAbn4id4XgR4dMo3I9jIFgt4Y9S6X5h9OxakQdk2EMrExQlRWg0l9dX1pFQH+IvKqcQDtM7Kk1iGGcrNxoRYF1yeE+WFoTo0xD++gElbSA/UHvHJvteUSf2duH6fhl8bGcNM4YfJ63kMZvd5oBEOUh28ljFD8NE6XiS0/qk0ZnN3eW5i8ouUh/kY1vRM/OpdwTEjKwMzxr4LWxM1/7J52YH/Zgjnb0FS6k6mnTeUNxZI54h+5oNdkMfvn+bvZu1DiAH0JSLHsXnjWyyPOF32WWGF9GYE9TTldsiYuc9rRN+w40QqfjRrhY5gQfZpcx12o4PT2nTCEdic5cY3COLaLcxSbyAYts5qrPwLAUqngCmKghWd2dvnBY3iUWwuefi0XclCjvEISTCB6gytaHCm9sbObelT2GkOSDBSOycJqbhyjFuLYeTyk46a2TpUMqZ6582Z3eurF2jCGKC8ewo3CuxEMtmhQpzxI84pye0+4BVa36H5cqEj5QzbFc8fvnxs01BuX+2DlRxCzvsccqoe9lP DgzCa/Ge sg67EeUNYEMYhCBonEYQyfy7XS2QkR/FQ49gj2e45CGYvrLZryx2aLVlssbpcHMZ5qjoxbV0f+bfOAai00fVCPG/FK5AWQd9M7WLgHjf2QgxwnD/8tl+97VqyVA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000034, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --0000000000003788480612911ebf Content-Type: text/plain; charset="UTF-8" Dear developers and maintainers, We found a shift-out-of-bounds bug in mm/memory.c. UBSAN report is listed below. ``` UBSAN: shift-out-of-bounds in /home/sy/linux-original/include/linux/log2.h:67:13 shift exponent 4294967295 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 8091 Comm: syz-executor371 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x24b/0x430 lib/ubsan.c:387 __rounddown_pow_of_two include/linux/log2.h:67 [inline] fault_around_bytes_set.cold+0x19/0x1e mm/memory.c:4527 simple_attr_write_xsigned.constprop.0.isra.0+0x1ed/0x2d0 fs/libfs.c:1301 debugfs_attr_write_xsigned fs/debugfs/file.c:485 [inline] debugfs_attr_write+0x74/0xa0 fs/debugfs/file.c:493 vfs_write+0x2a9/0xd80 fs/read_write.c:582 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fa30d5d7fcd Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc8b7ee1b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffc8b7ee3b8 RCX: 00007fa30d5d7fcd RDX: 0000000000000002 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffc8b7ee3b8 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc8b7ee3a8 R14: 00007fa30d655530 R15: 0000000000000001 ================================================================================ ``` In function simple_attr_write_xsigned, a user controlled string "buf" is copied and turned to long type by function "kstrtoll". If buf is "0", val passed to function fault_around_bytes_set is 0, which would trigger shift-out-of-bound bug. If you have any question, please contact us. Reported by Yue Sun Best Regards, Yue --0000000000003788480612911ebf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear developers and maintainers,

=
We found a shift-out-of-bounds bug in mm/memory.c.
UBSA= N report is listed below.
```
UBSAN: shift-out-of-bound= s in /home/sy/linux-original/include/linux/log2.h:67:13
shift exponent 4= 294967295 is too large for 64-bit type 'long unsigned int'
CPU: = 0 PID: 8091 Comm: syz-executor371 Not tainted 6.7.0-rc7 #1
Hardware name= : QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call = Trace:
=C2=A0<TASK>
=C2=A0__dump_stack lib/dump_stack.c:88 [inl= ine]
=C2=A0dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
=C2=A0ubsa= n_epilogue lib/ubsan.c:217 [inline]
=C2=A0__ubsan_handle_shift_out_of_bo= unds+0x24b/0x430 lib/ubsan.c:387
=C2=A0__rounddown_pow_of_two include/li= nux/log2.h:67 [inline]
=C2=A0fault_around_bytes_set.cold+0x19/0x1e mm/me= mory.c:4527
=C2=A0simple_attr_write_xsigned.constprop.0.isra.0+0x1ed/0x2= d0 fs/libfs.c:1301
=C2=A0debugfs_attr_write_xsigned fs/debugfs/file.c:48= 5 [inline]
=C2=A0debugfs_attr_write+0x74/0xa0 fs/debugfs/file.c:493
= =C2=A0vfs_write+0x2a9/0xd80 fs/read_write.c:582
=C2=A0ksys_write+0x122/0= x250 fs/read_write.c:637
=C2=A0do_syscall_x64 arch/x86/entry/common.c:52= [inline]
=C2=A0do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
= =C2=A0entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fa30d5d7fcd<= br>Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 = f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 0= 1 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:000= 07ffc8b7ee1b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: fffffffff= fffffda RBX: 00007ffc8b7ee3b8 RCX: 00007fa30d5d7fcd
RDX: 000000000000000= 2 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 0000000000000001 R08:= 0000000000000000 R09: 00007ffc8b7ee3b8
R10: 0000000000000000 R11: 00000= 00000000246 R12: 0000000000000001
R13: 00007ffc8b7ee3a8 R14: 00007fa30d6= 55530 R15: 0000000000000001
=C2=A0</TASK>
=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
```
In function simple_attr_write_xsigned, a user controlled= string "buf" is copied and
turned to long type by= function "kstrtoll". If buf is "0", val passed to func= tion
fault_around_bytes_set is 0, which would trigger shift-= out-of-bound bug.

If you have any question, please= contact us.
Reported by Yue Sun <samsun1006219@gmail.com>

Best Regards,
Yue
--0000000000003788480612911ebf--