From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C84C3C5475B for ; Fri, 1 Mar 2024 10:01:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 530196B006E; Fri, 1 Mar 2024 05:01:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4DEFC6B0074; Fri, 1 Mar 2024 05:01:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3A7E76B007D; Fri, 1 Mar 2024 05:01:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 285226B006E for ; Fri, 1 Mar 2024 05:01:19 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id F11EA1A12A9 for ; Fri, 1 Mar 2024 10:01:18 +0000 (UTC) X-FDA: 81848027436.30.DD6BC9A Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32]) by imf02.hostedemail.com (Postfix) with ESMTP id 967368002C for ; Fri, 1 Mar 2024 10:01:15 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf02.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.32 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709287276; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7VXzJy3ozzHNlMoHkfKS+KCbVogFxLYMKtLkX4Qm/tU=; b=282fyTDV+5aw1NuPH8uFU1uT3BOw8tdvXEg0UJWAwMS1TFng/mXCID8LFBRr+UV257mtCL dUFIFPE3GEEvYq1vu6GBmnigCrobF8e+G8690/tSXYx71Zu8/v7kABs233IuR+PQPHKRPw 2TmeiJlqpZarOPn/WEwwkFL3r2ULTR8= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf02.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.32 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709287276; a=rsa-sha256; cv=none; b=F6Iar0ortjPTW8rQbsCVnPiNZqHW8WEmsPM/b9e7pVYJl69iJlzoeK5Zsbb4YBlHTiKdfQ 9UwTqpG7ZxIwtKZ709tVr9UcKEYsWkOM0fi/UJ+QPfh599O+iE1nDbNIAoRJbqGnT1YvV0 kDLNWtnoO4ruo/6ctj0NFOHyebTDvJ8= Received: from mail.maildlp.com (unknown [172.19.162.112]) by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4TmNrK3VJ1z1vvmn; Fri, 1 Mar 2024 18:00:33 +0800 (CST) Received: from dggpemm100001.china.huawei.com (unknown [7.185.36.93]) by mail.maildlp.com (Postfix) with ESMTPS id 86637140158; Fri, 1 Mar 2024 18:01:11 +0800 (CST) Received: from [10.174.177.243] (10.174.177.243) by dggpemm100001.china.huawei.com (7.185.36.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Fri, 1 Mar 2024 18:01:11 +0800 Message-ID: Date: Fri, 1 Mar 2024 18:01:10 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Linux Kernel Bug] UBSAN: shift-out-of-bounds in fault_around_bytes_set Content-Language: en-US To: Sam Sun , , , CC: References: From: Kefeng Wang In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.243] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm100001.china.huawei.com (7.185.36.93) X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 967368002C X-Stat-Signature: jxc6u91iwn9sqpa1ypg8upp3wqa1z58c X-Rspam-User: X-HE-Tag: 1709287275-199662 X-HE-Meta: U2FsdGVkX1/X29pUFp8XxC3d5kals/mXZlaCwpqzhzw9wgHke8H4HK0pkLL6JFClWDKUw26Bia41Fc4zOJN0wyP6p4pj7HYa0D9H9/U/cmZnxwWGR6kQCnsjVSkC571dBW+oaN69B1SWWkRhOBW3hLyDDNY6/YUdHozQH3EXviptYEyT86fAIihUrLGQ/b5AhMegWkCNTFqpI+VDkk5agY3B6PA31K0+ctgLcXc0mTdDX/lM7jEGAy1diSwynHqvKP9IcLqeq8RD4LpMIVbTamvVZy7p9vm1h8vMT0cJsfDx7wISKcyefwTXgVqKTyknQYBpLCBsn0nBEplzYXyqDPk+L3p7+/vlI7OJZj0vENwsHBPLbWx5BlgcxMbfHDi7eEU5J/SEozx1ginYmAanuGOpjO6INkcW2/xP8RnLHRDSorBi5Hs4tPuSptaZKkEQvQsmmzZZB0JU7jjaDYqlVFNACFZd39ZBPiYNSAngp0kHv1I2ldigBhhXxzTvLLb6ViyJgh9wTfQcZa0OId/HMMB70sVI2vq0zOSiwu1cBkTw3gQXAZTxRtGQ36bhaQDtDyrQSXoSzWyQDP+spV5FLDSm/q5IRV+maha2YFdlorncZVtJ0r9RB0JsRAQjVOQcRu3WBF06CDWaRsriy8zs9LOUWsVuKByDelV9hcdFzA003DnxKk1uewYtY6kjiIB94fjSpVsuFz//pXkvVrIZdOkKF/iwERJUTcQ6q/VBWmwxnSH6SEL+fP1i9a5IPuEAzTH76PZgOFma61Rhu5cd9Nm7LOaq68o7djNQPxmMu/FdPE5pU3ALMLwRFWchBBZ1Tuhpa/BmcGEo3wfQvf2KAwl5yzdSVd1+eQoa3D4MnANTTacHrJuCBKIPvHXV75yJe6vZw/znJ10= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/3/1 15:42, Sam Sun wrote: > Dear developers and maintainers, > > We found a shift-out-of-bounds bug in mm/memory.c. Kernel commit is b401b621758. > Kernel config and C repro are attached to this email. > UBSAN report is listed below. > ``` > UBSAN: shift-out-of-bounds in /home/sy/linux-original/include/linux/log2.h:67:13 > shift exponent 4294967295 is too large for 64-bit type 'long unsigned int' > CPU: 0 PID: 8091 Comm: syz-executor371 Not tainted 6.7.0-rc7 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 > ubsan_epilogue lib/ubsan.c:217 [inline] > __ubsan_handle_shift_out_of_bounds+0x24b/0x430 lib/ubsan.c:387 > __rounddown_pow_of_two include/linux/log2.h:67 [inline] > fault_around_bytes_set.cold+0x19/0x1e mm/memory.c:4527 > simple_attr_write_xsigned.constprop.0.isra.0+0x1ed/0x2d0 fs/libfs.c:1301 > debugfs_attr_write_xsigned fs/debugfs/file.c:485 [inline] > debugfs_attr_write+0x74/0xa0 fs/debugfs/file.c:493 > vfs_write+0x2a9/0xd80 fs/read_write.c:582 > ksys_write+0x122/0x250 fs/read_write.c:637 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > RIP: 0033:0x7fa30d5d7fcd > Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d > 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007ffc8b7ee1b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > RAX: ffffffffffffffda RBX: 00007ffc8b7ee3b8 RCX: 00007fa30d5d7fcd > RDX: 0000000000000002 RSI: 0000000020000040 RDI: 0000000000000003 > RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffc8b7ee3b8 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 > R13: 00007ffc8b7ee3a8 R14: 00007fa30d655530 R15: 0000000000000001 > > ================================================================================ > ``` > In function simple_attr_write_xsigned, a user controlled string "buf" > is copied and > turned to long type by function "kstrtoll". If buf is "0", val passed > to function > fault_around_bytes_set is 0, which would trigger shift-out-of-bound bug. Look like commit 53d36a56d8c4 ("mm: prefer fault_around_pages to fault_around_bytes") introduces the issue, please try the following change, diff --git a/mm/memory.c b/mm/memory.c index abd4f33d62c9..e17669d4f72f 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4776,7 +4776,8 @@ static int fault_around_bytes_set(void *data, u64 val) * The minimum value is 1 page, however this results in no fault-around * at all. See should_fault_around(). */ - fault_around_pages = max(rounddown_pow_of_two(val) >> PAGE_SHIFT, 1UL); + val = max(val, PAGE_SIZE); + fault_around_pages = rounddown_pow_of_two(val) >> PAGE_SHIFT; return 0; } > > If you have any questions, please contact us. > Reported by Yue Sun > > Best Regards, > Yue