| Message ID | 20240506-b4-sio-block-ioctl-v1-1-da535cc020dc@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block/ioctl: use overflow helper for blkpg_partition fields | expand |
On Mon, May 6, 2024 at 4:10 PM Justin Stitt <justinstitt@google.com> wrote: > > Running syzkaller with the newly reintroduced signed integer overflow > sanitizer shows this report: > > [ 62.982337] ------------[ cut here ]------------ > [ 62.985692] cgroup: Invalid name > [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 > [ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1 > [ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long' > [ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1 > [ 62.999369] random: crng reseeded on system resumption > [ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000) > [ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 > [ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > [ 63.000682] Call Trace: > [ 63.000686] <TASK> > [ 63.000731] dump_stack_lvl+0x93/0xd0 > [ 63.000919] __get_user_pages+0x903/0xd30 > [ 63.001030] __gup_longterm_locked+0x153e/0x1ba0 > [ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50 > [ 63.001072] ? try_get_folio+0x29c/0x2d0 > [ 63.001083] internal_get_user_pages_fast+0x1119/0x1530 > [ 63.001109] iov_iter_extract_pages+0x23b/0x580 > [ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220 > [ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410 > [ 63.001297] __iomap_dio_rw+0xab4/0x1810 > [ 63.001316] iomap_dio_rw+0x45/0xa0 > [ 63.001328] ext4_file_write_iter+0xdde/0x1390 > [ 63.001372] vfs_write+0x599/0xbd0 > [ 63.001394] ksys_write+0xc8/0x190 > [ 63.001403] do_syscall_64+0xd4/0x1b0 > [ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60 > [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 > [ 63.001535] RIP: 0033:0x7f7fd3ebf539 > [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 > [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 > [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 > [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 > ... > [ 63.018142] ---[ end trace ]--- > Please note that I had to reconstruct this entire UBSAN report with some fancy regex as the actual report on my box had some IO flushing issues when running syzkaller with multiple threads. Due to this, this report may look weird but I tried my best to put things in chronological order.
On Mon, May 6, 2024 at 4:10 PM Justin Stitt <justinstitt@google.com> wrote: > ... > > Historically, the signed integer overflow sanitizer did not work in the > kernel due to its interaction with `-fwrapv` but this has since been > changed [1] in the newest version of Clang; It being re-enabled in the > kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow > sanitizer"). > > Let's use check_add_overflow to check for overflow between p.start and > p.length, as this method won't trigger a UBSAN splat. Whoops, I got this wrong. The third argument is where the result of the summation is stored. In an effort not to use a throwaway variable during testing I just used the address of p.start, this is clearly wrong. I've changed my approach in [v2]. [v2]: https://lore.kernel.org/all/20240507-b4-sio-block-ioctl-v2-1-e11113aeb10f@google.com/ Thanks Justin
diff --git a/block/ioctl.c b/block/ioctl.c index f505f9c341eb..a66213c88ebb 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -33,7 +33,8 @@ static int blkpg_do_ioctl(struct block_device *bdev, if (op == BLKPG_DEL_PARTITION) return bdev_del_partition(disk, p.pno); - if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) + if (p.start < 0 || p.length <= 0 || + check_add_overflow(p.start, p.length, &p.start)) return -EINVAL; /* Check that the partition is aligned to the block size */ if (!IS_ALIGNED(p.start | p.length, bdev_logical_block_size(bdev)))
Running syzkaller with the newly reintroduced signed integer overflow sanitizer shows this report: [ 62.982337] ------------[ cut here ]------------ [ 62.985692] cgroup: Invalid name [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 [ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1 [ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long' [ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1 [ 62.999369] random: crng reseeded on system resumption [ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000) [ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 63.000682] Call Trace: [ 63.000686] <TASK> [ 63.000731] dump_stack_lvl+0x93/0xd0 [ 63.000919] __get_user_pages+0x903/0xd30 [ 63.001030] __gup_longterm_locked+0x153e/0x1ba0 [ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50 [ 63.001072] ? try_get_folio+0x29c/0x2d0 [ 63.001083] internal_get_user_pages_fast+0x1119/0x1530 [ 63.001109] iov_iter_extract_pages+0x23b/0x580 [ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220 [ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410 [ 63.001297] __iomap_dio_rw+0xab4/0x1810 [ 63.001316] iomap_dio_rw+0x45/0xa0 [ 63.001328] ext4_file_write_iter+0xdde/0x1390 [ 63.001372] vfs_write+0x599/0xbd0 [ 63.001394] ksys_write+0xc8/0x190 [ 63.001403] do_syscall_64+0xd4/0x1b0 [ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60 [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 63.001535] RIP: 0033:0x7f7fd3ebf539 [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 ... [ 63.018142] ---[ end trace ]--- Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang; It being re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's use check_add_overflow to check for overflow between p.start and p.length, as this method won't trigger a UBSAN splat. [1]: https://github.com/llvm/llvm-project/pull/82432 Signed-off-by: Justin Stitt <justinstitt@google.com> --- block/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc change-id: 20240506-b4-sio-block-ioctl-78efd742fff4 Best regards, -- Justin Stitt <justinstitt@google.com>