| Message ID | 20210802075615.4037698-1-libaokun1@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next,v2] nbd: add the check to prevent overflow in __nbd_ioctl() | expand |
Hi Baokun,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on next-20210730]
url: https://github.com/0day-ci/linux/commits/Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
base: 8d4b477da1a807199ca60e0829357ce7aa6758d5
config: s390-randconfig-r004-20210802 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 4f71f59bf3d9914188a11d0c41bedbb339d36ff5)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# https://github.com/0day-ci/linux/commit/db848e3e79fb93dcba9390dda472184ab2d31f40
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
git checkout db848e3e79fb93dcba9390dda472184ab2d31f40
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=s390
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> drivers/block/nbd.c:1402:16: warning: comparison of distinct pointer types ('typeof (arg) *' (aka 'unsigned long *') and 'typeof (config->blksize) *' (aka 'long long *')) [-Wcompare-distinct-pointer-types]
if (unlikely(check_mul_overflow(arg, config->blksize,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:88:15: note: expanded from macro 'check_mul_overflow'
(void) (&__a == &__b); \
~~~~ ^ ~~~~
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
>> drivers/block/nbd.c:1402:16: warning: comparison of distinct pointer types ('typeof (arg) *' (aka 'unsigned long *') and 'typeof (&bytesize)' (aka 'long long *')) [-Wcompare-distinct-pointer-types]
if (unlikely(check_mul_overflow(arg, config->blksize,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:89:15: note: expanded from macro 'check_mul_overflow'
(void) (&__a == __d); \
~~~~ ^ ~~~
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
2 warnings generated.
vim +1402 drivers/block/nbd.c
1381
1382 /* Must be called with config_lock held */
1383 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
1384 unsigned int cmd, unsigned long arg)
1385 {
1386 struct nbd_config *config = nbd->config;
1387 loff_t bytesize;
1388
1389 switch (cmd) {
1390 case NBD_DISCONNECT:
1391 return nbd_disconnect(nbd);
1392 case NBD_CLEAR_SOCK:
1393 nbd_clear_sock_ioctl(nbd, bdev);
1394 return 0;
1395 case NBD_SET_SOCK:
1396 return nbd_add_socket(nbd, arg, false);
1397 case NBD_SET_BLKSIZE:
1398 return nbd_set_size(nbd, config->bytesize, arg);
1399 case NBD_SET_SIZE:
1400 return nbd_set_size(nbd, arg, config->blksize);
1401 case NBD_SET_SIZE_BLOCKS:
> 1402 if (unlikely(check_mul_overflow(arg, config->blksize,
1403 &bytesize)))
1404 return -EINVAL;
1405 return nbd_set_size(nbd, bytesize, config->blksize);
1406 case NBD_SET_TIMEOUT:
1407 nbd_set_cmd_timeout(nbd, arg);
1408 return 0;
1409
1410 case NBD_SET_FLAGS:
1411 config->flags = arg;
1412 return 0;
1413 case NBD_DO_IT:
1414 return nbd_start_device_ioctl(nbd, bdev);
1415 case NBD_CLEAR_QUE:
1416 /*
1417 * This is for compatibility only. The queue is always cleared
1418 * by NBD_DO_IT or NBD_CLEAR_SOCK.
1419 */
1420 return 0;
1421 case NBD_PRINT_DEBUG:
1422 /*
1423 * For compatibility only, we no longer keep a list of
1424 * outstanding requests.
1425 */
1426 return 0;
1427 }
1428 return -ENOTTY;
1429 }
1430
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi Baokun,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on next-20210730]
url: https://github.com/0day-ci/linux/commits/Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
base: 8d4b477da1a807199ca60e0829357ce7aa6758d5
config: sh-randconfig-r005-20210802 (attached as .config)
compiler: sh4-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/db848e3e79fb93dcba9390dda472184ab2d31f40
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
git checkout db848e3e79fb93dcba9390dda472184ab2d31f40
# save the attached .config to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash drivers/block/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/asm-generic/bug.h:5,
from arch/sh/include/asm/bug.h:112,
from include/linux/bug.h:5,
from include/linux/thread_info.h:13,
from include/asm-generic/current.h:5,
from ./arch/sh/include/generated/asm/current.h:1,
from include/linux/sched.h:12,
from include/linux/blkdev.h:5,
from drivers/block/nbd.c:16:
drivers/block/nbd.c: In function '__nbd_ioctl':
>> include/linux/overflow.h:88:15: warning: comparison of distinct pointer types lacks a cast
88 | (void) (&__a == &__b); \
| ^~
include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
78 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
drivers/block/nbd.c:1402:16: note: in expansion of macro 'check_mul_overflow'
1402 | if (unlikely(check_mul_overflow(arg, config->blksize,
| ^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:89:15: warning: comparison of distinct pointer types lacks a cast
89 | (void) (&__a == __d); \
| ^~
include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
78 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
drivers/block/nbd.c:1402:16: note: in expansion of macro 'check_mul_overflow'
1402 | if (unlikely(check_mul_overflow(arg, config->blksize,
| ^~~~~~~~~~~~~~~~~~
vim +88 include/linux/overflow.h
f0907827a8a915 Rasmus Villemoes 2018-05-08 83
9b80e4c4ddaca3 Kees Cook 2020-08-12 84 #define check_mul_overflow(a, b, d) __must_check_overflow(({ \
f0907827a8a915 Rasmus Villemoes 2018-05-08 85 typeof(a) __a = (a); \
f0907827a8a915 Rasmus Villemoes 2018-05-08 86 typeof(b) __b = (b); \
f0907827a8a915 Rasmus Villemoes 2018-05-08 87 typeof(d) __d = (d); \
f0907827a8a915 Rasmus Villemoes 2018-05-08 @88 (void) (&__a == &__b); \
f0907827a8a915 Rasmus Villemoes 2018-05-08 89 (void) (&__a == __d); \
f0907827a8a915 Rasmus Villemoes 2018-05-08 90 __builtin_mul_overflow(__a, __b, __d); \
9b80e4c4ddaca3 Kees Cook 2020-08-12 91 }))
f0907827a8a915 Rasmus Villemoes 2018-05-08 92
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index c38317979f74..9f3e25f74e9b 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1384,6 +1384,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, unsigned int cmd, unsigned long arg) { struct nbd_config *config = nbd->config; + loff_t bytesize; switch (cmd) { case NBD_DISCONNECT: @@ -1398,8 +1399,10 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, case NBD_SET_SIZE: return nbd_set_size(nbd, arg, config->blksize); case NBD_SET_SIZE_BLOCKS: - return nbd_set_size(nbd, arg * config->blksize, - config->blksize); + if (unlikely(check_mul_overflow(arg, config->blksize, + &bytesize))) + return -EINVAL; + return nbd_set_size(nbd, bytesize, config->blksize); case NBD_SET_TIMEOUT: nbd_set_cmd_timeout(nbd, arg); return 0;
If user specify a large enough value of NBD blocks option, it may trigger signed integer overflow which may lead to nbd->config->bytesize becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31 signed integer overflow: 1024 * 4611686155866341414 cannot be represented in type 'long long int' [...] Call trace: [...] handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213 nbd_size_set drivers/block/nbd.c:325 [inline] __nbd_ioctl drivers/block/nbd.c:1342 [inline] nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395 __blkdev_driver_ioctl block/ioctl.c:311 [inline] [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Baokun Li <libaokun1@huawei.com> --- V1->V2: Use check_mul_overflow(). drivers/block/nbd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)