fs: Fix signed integer overflow for vfs_setpos

Message ID	e882c9eb-1fd7-a7f6-d12b-3ce306b9d778@huawei.com
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; To: Al Viro <viro@ZenIV.linux.org.uk>, <linux-fsdevel@vger.kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, LinuxArm <linuxarm@huawei.com> From: Ding Tianhong <dingtianhong@huawei.com> Subject: [PATCH] fs: Fix signed integer overflow for vfs_setpos Message-ID: <e882c9eb-1fd7-a7f6-d12b-3ce306b9d778@huawei.com> Date: Thu, 7 Dec 2017 21:19:10 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk
Series	fs: Fix signed integer overflow for vfs_setpos \| expand fs: Fix signed integer overflow for vfs_setpos

Message ID

e882c9eb-1fd7-a7f6-d12b-3ce306b9d778@huawei.com

State

New

Headers

Received-SPF: pass (google.com: best guess record for domain of
	linux-kernel-owner@vger.kernel.org designates 209.132.180.67
	as permitted sender) client-ip=209.132.180.67; 
To: Al Viro <viro@ZenIV.linux.org.uk>, <linux-fsdevel@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	LinuxArm <linuxarm@huawei.com>
From: Ding Tianhong <dingtianhong@huawei.com>
Subject: [PATCH] fs: Fix signed integer overflow for vfs_setpos
Message-ID: <e882c9eb-1fd7-a7f6-d12b-3ce306b9d778@huawei.com>
Date: Thu, 7 Dec 2017 21:19:10 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

Series

fs: Fix signed integer overflow for vfs_setpos | expand

Commit Message

Ding Tianhong Dec. 7, 2017, 1:19 p.m. UTC

The undefined behaviour sanatizer detected an signed integer overflow like this:

r0 = memfd_create(&(0x7f0000002000-0x12)="2e726571756573745f6b65795f6175746800",0x0)
lseek(r0, 0x4040000000000000, 0x1)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20,
&(0x7f000000b000-0xd)={@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x9, 0x1, 0xff, 0x2, 0x6, 0x1,0xd27}, 0x20)
mmap(&(0x7f000000e000/0x1000)=nil, 0x1000, 0x3, 0x32,0xffffffffffffffff, 0x0)
ioctl$sock_SIOCGSKNS(r0, 0x894c, &(0x7f000000f000-0x4)=0x10000)
---------------------------------------------------------------------------------
UBSAN: Undefined behaviour in fs/read_write.c:107:12
signed integer overflow:
4629700416936869888 + 4629700416936869888 cannot be represented in type
'long long int'
CPU: 0 PID: 11653 Comm: syz-executor0 Not tainted 4.x.xx+ #2
Hardware name: linux,dummy-virt (DT)
Call trace:
[<ffffffc00008f4d0>] dump_backtrace+0x0/0x2a0
[<ffffffc00008f790>] show_stack+0x20/0x30
[<ffffffc000ec3b5c>] dump_stack+0x11c/0x16c
[<ffffffc000ec3e80>] ubsan_epilogue+0x18/0x70
[<ffffffc000ec4ca0>] handle_overflow+0x14c/0x188
[<ffffffc000ec4d10>] __ubsan_handle_add_overflow+0x34/0x44
[<ffffffc000327740>] generic_file_llseek_size+0x1f8/0x2a0
[<ffffffc0002826fc>] shmem_file_llseek+0x7c/0x1f8
[<ffffffc000327b88>] SyS_lseek+0xc0/0x118
--------------------------------------------------------------------------------

The problem happened because the calculation of signed integer resulted
an overflow for the signed integer, so use the unsigned integer to avoid
undefined behaviour when it does overflow.

Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>

---
 fs/read_write.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
1.8.3.1

Comments

Al Viro Dec. 7, 2017, 3:27 p.m. UTC | #1

On Thu, Dec 07, 2017 at 09:19:10PM +0800, Ding Tianhong wrote:
> The undefined behaviour sanatizer detected an signed integer overflow like this:

> 

> r0 = memfd_create(&(0x7f0000002000-0x12)="2e726571756573745f6b65795f6175746800",0x0)

> lseek(r0, 0x4040000000000000, 0x1)

> setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20,

> &(0x7f000000b000-0xd)={@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x9, 0x1, 0xff, 0x2, 0x6, 0x1,0xd27}, 0x20)

> mmap(&(0x7f000000e000/0x1000)=nil, 0x1000, 0x3, 0x32,0xffffffffffffffff, 0x0)

> ioctl$sock_SIOCGSKNS(r0, 0x894c, &(0x7f000000f000-0x4)=0x10000)

> ---------------------------------------------------------------------------------

> UBSAN: Undefined behaviour in fs/read_write.c:107:12

> signed integer overflow:

> 4629700416936869888 + 4629700416936869888 cannot be represented in type

> 'long long int'

> CPU: 0 PID: 11653 Comm: syz-executor0 Not tainted 4.x.xx+ #2

> Hardware name: linux,dummy-virt (DT)

> Call trace:

> [<ffffffc00008f4d0>] dump_backtrace+0x0/0x2a0

> [<ffffffc00008f790>] show_stack+0x20/0x30

> [<ffffffc000ec3b5c>] dump_stack+0x11c/0x16c

> [<ffffffc000ec3e80>] ubsan_epilogue+0x18/0x70

> [<ffffffc000ec4ca0>] handle_overflow+0x14c/0x188

> [<ffffffc000ec4d10>] __ubsan_handle_add_overflow+0x34/0x44

> [<ffffffc000327740>] generic_file_llseek_size+0x1f8/0x2a0

> [<ffffffc0002826fc>] shmem_file_llseek+0x7c/0x1f8

> [<ffffffc000327b88>] SyS_lseek+0xc0/0x118

> --------------------------------------------------------------------------------

> 

> The problem happened because the calculation of signed integer resulted

> an overflow for the signed integer, so use the unsigned integer to avoid

> undefined behaviour when it does overflow.


TBH, I don't like that solution - there's too much of "make UBSAN STFU" in
it.  Besides, there are very similar places elsewhere.  Right next to this
one there's default_llseek(), with its
                case SEEK_CUR:
                        if (offset == 0) {
                                retval = file->f_pos;
                                goto out;
                        }
                        offset += file->f_pos;
                        break;
and offset is loff_t there.  Exact same issue, IOW.  Grepping around shows
tons of similar places.  E.g. ceph_llseek() has
                if (offset == 0) {
                        ret = file->f_pos;
                        goto out;
                }
                offset += file->f_pos;
                break;
with offset being loff_t and ocfs2_file_llseek() is the same.  memory_lseek()
does something very similar, except that it doesn't use vfs_setpos(),
ditto for xillybus_llseek(), wil_pmc_llseek(), hmcdrv_dev_seek(), etc.

That kind of whack-a-mole ("UBSAN has stepped on that one, let's plug it",
while the other places like that keep breeding) is, IMO, the wrong approach ;-/

BTW, a fun unrelated bogosity:
static loff_t scom_llseek(struct file *file, loff_t offset, int whence)
{
        switch (whence) {
        case SEEK_CUR:
                break;
        case SEEK_SET:
                file->f_pos = offset;
                break;
        default:
                return -EINVAL;
        }

        return offset;
}
IOW, lseek(fd, SEEK_CUR, n) quietly returns n there.  Separate issue, though...

Ding Tianhong Dec. 8, 2017, 3:02 a.m. UTC | #2

On 2017/12/7 23:27, Al Viro wrote:
> On Thu, Dec 07, 2017 at 09:19:10PM +0800, Ding Tianhong wrote:

>> The undefined behaviour sanatizer detected an signed integer overflow like this:

>>

>> r0 = memfd_create(&(0x7f0000002000-0x12)="2e726571756573745f6b65795f6175746800",0x0)

>> lseek(r0, 0x4040000000000000, 0x1)

>> setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20,

>> &(0x7f000000b000-0xd)={@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,

>> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x9, 0x1, 0xff, 0x2, 0x6, 0x1,0xd27}, 0x20)

>> mmap(&(0x7f000000e000/0x1000)=nil, 0x1000, 0x3, 0x32,0xffffffffffffffff, 0x0)

>> ioctl$sock_SIOCGSKNS(r0, 0x894c, &(0x7f000000f000-0x4)=0x10000)

>> ---------------------------------------------------------------------------------

>> UBSAN: Undefined behaviour in fs/read_write.c:107:12

>> signed integer overflow:

>> 4629700416936869888 + 4629700416936869888 cannot be represented in type

>> 'long long int'

>> CPU: 0 PID: 11653 Comm: syz-executor0 Not tainted 4.x.xx+ #2

>> Hardware name: linux,dummy-virt (DT)

>> Call trace:

>> [<ffffffc00008f4d0>] dump_backtrace+0x0/0x2a0

>> [<ffffffc00008f790>] show_stack+0x20/0x30

>> [<ffffffc000ec3b5c>] dump_stack+0x11c/0x16c

>> [<ffffffc000ec3e80>] ubsan_epilogue+0x18/0x70

>> [<ffffffc000ec4ca0>] handle_overflow+0x14c/0x188

>> [<ffffffc000ec4d10>] __ubsan_handle_add_overflow+0x34/0x44

>> [<ffffffc000327740>] generic_file_llseek_size+0x1f8/0x2a0

>> [<ffffffc0002826fc>] shmem_file_llseek+0x7c/0x1f8

>> [<ffffffc000327b88>] SyS_lseek+0xc0/0x118

>> --------------------------------------------------------------------------------

>>

>> The problem happened because the calculation of signed integer resulted

>> an overflow for the signed integer, so use the unsigned integer to avoid

>> undefined behaviour when it does overflow.

> 

> TBH, I don't like that solution - there's too much of "make UBSAN STFU" in

> it.  Besides, there are very similar places elsewhere.  Right next to this

> one there's default_llseek(), with its

>                 case SEEK_CUR:

>                         if (offset == 0) {

>                                 retval = file->f_pos;

>                                 goto out;

>                         }

>                         offset += file->f_pos;

>                         break;

> and offset is loff_t there.  Exact same issue, IOW.  Grepping around shows

> tons of similar places.  E.g. ceph_llseek() has

>                 if (offset == 0) {

>                         ret = file->f_pos;

>                         goto out;

>                 }

>                 offset += file->f_pos;

>                 break;

> with offset being loff_t and ocfs2_file_llseek() is the same.  memory_lseek()

> does something very similar, except that it doesn't use vfs_setpos(),

> ditto for xillybus_llseek(), wil_pmc_llseek(), hmcdrv_dev_seek(), etc.

> 

> That kind of whack-a-mole ("UBSAN has stepped on that one, let's plug it",

> while the other places like that keep breeding) is, IMO, the wrong approach ;-/

> 

> BTW, a fun unrelated bogosity:

> static loff_t scom_llseek(struct file *file, loff_t offset, int whence)

> {

>         switch (whence) {

>         case SEEK_CUR:

>                 break;

>         case SEEK_SET:

>                 file->f_pos = offset;

>                 break;

>         default:

>                 return -EINVAL;

>         }

> 

>         return offset;

> }

> IOW, lseek(fd, SEEK_CUR, n) quietly returns n there.  Separate issue, though...

> 


Totally agree with you, this problem also make me very confused, but looks like
the undefined behaviour is really critical issue,  so should we reconsider this
problem and solve it completely ?

Thanks
Ding

> .

>

diff --git a/fs/read_write.c b/fs/read_write.c
index f8547b8..2c377fc 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -105,7 +105,7 @@  loff_t vfs_setpos(struct file *file, loff_t offset, loff_t maxsize)
 		 * like SEEK_SET.
 		 */
 		spin_lock(&file->f_lock);
-		offset = vfs_setpos(file, file->f_pos + offset, maxsize);
+		offset = vfs_setpos(file, (u64)file->f_pos + offset, maxsize);
 		spin_unlock(&file->f_lock);
 		return offset;
 	case SEEK_DATA:

fs: Fix signed integer overflow for vfs_setpos

Commit Message

Comments

Patch