From patchwork Mon Sep 11 23:15:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Randy Dunlap <rdunlap@infradead.org>
X-Patchwork-Id: 9948195
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	ACE5A6024A for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 11 Sep 2017 23:16:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A866B28D3F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 11 Sep 2017 23:16:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9D3C228D43; Mon, 11 Sep 2017 23:16:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB6B028D42
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Mon, 11 Sep 2017 23:16:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751089AbdIKXQB (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Mon, 11 Sep 2017 19:16:01 -0400
Received: from bombadil.infradead.org ([65.50.211.133]:32920 "EHLO
	bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751015AbdIKXQA (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 11 Sep 2017 19:16:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding:
	Content-Type:MIME-Version:Date:Message-ID:Subject:From:Cc:To:Sender:Reply-To:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=9uqGpOyHgZ8u9m/9g+dJl8iZp7PJel9jcB/53viwtTs=;
	b=LLOqt4PJMo9/zRzsXIClItYM9
	utrtL15kPyZf9qbGm3o6KDnWT6Y2STwde2AHqLWyHwyfbjPvDzyT/LsSLcBXgp/e2UaC5ednZb6Lf
	IKkLGIlT2m2rYYxurz4Il9ITGq6r5NHUx+wXKG+Vkm7z+ea1xgQrrzGskq7eqC55Fgj5Ea9taF4f8
	0yrQLudWZG67OtHP3jE4lXWtBWqy6nrWy5m5PrWVMfUosP1iUvlRG9/6bRqMh4YUBKAI6C3IWiIJH
	iTO6L9Kl2Q7T6lVqWpvt5f5kFpeVG8pdjc1SjHYm2WWKZZMpmSYIu7Wtm0EgC6rVrRAgB7bAveOpg
	kMZhL0RiA==;
Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16]
	helo=midway.dunlap)
	by bombadil.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux))
	id 1drXvj-0002dz-7X; Mon, 11 Sep 2017 23:15:52 +0000
To: LKML <linux-kernel@vger.kernel.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Shankara Pailoor <sp3485@columbia.edu>,
	Michael Kerrisk <mtk.manpages@gmail.com>
From: Randy Dunlap <rdunlap@infradead.org>
Subject: [RFC PATCH] fs/pipe.c: implement minimum pipe size for arg==0
Message-ID: <b1c6b6fa-1917-da84-f1f4-0fafd6cac732@infradead.org>
Date: Mon, 11 Sep 2017 16:15:49 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
MIME-Version: 1.0
Content-Language: en-US
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Randy Dunlap <rdunlap@infradead.org>

Shankara reports that running Syskaller with UBSAN causes this message:
  UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13

Syzkaller is trying to set the pipe size to 0UL. The call chain is:
	pipe_set_size(pipe, 0UL)
	...
	size = round_pipe_size(arg); // arg == 0UL
which does
	nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; // = 0UL
	return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
which is undefined when the argument is 0... and which calls
	fls_long(-1) // == 64
and then returns 1UL << 64. This is where UBSAN kicks in.

The fcntl() man page [http://man7.org/linux/man-pages/man2/fcntl.2.html]
says that:
	Attempts to set the pipe capacity below the page size are
	silently rounded up to the page size.

We could try to fix the basic low-level functions to handle 0 (where
<linux/log2.h> says the result is undefined when n == 0), but the safest
path for now is probably just to patch fs/pipe.c to make the documented
default happen when arg is 0.

Reported-by: Shankara Pailoor <sp3485@columbia.edu>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
---
 fs/pipe.c |    2 ++
 1 file changed, 2 insertions(+)

We could just return -EINVAL when arg == 0, but we don't know how that might
adversely affect some programs.

--- lnx-413.orig/fs/pipe.c
+++ lnx-413/fs/pipe.c
@@ -1038,6 +1038,8 @@ static long pipe_set_size(struct pipe_in
 	unsigned long user_bufs;
 	long ret = 0;
 
+	if (!arg)
+		arg = PAGE_SIZE;
 	size = round_pipe_size(arg);
 	nr_pages = size >> PAGE_SHIFT;