From patchwork Sun Feb 19 19:12:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolai Stange X-Patchwork-Id: 9581787 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 895036043A for ; Sun, 19 Feb 2017 19:20:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76386286C6 for ; Sun, 19 Feb 2017 19:20:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 67D5028705; Sun, 19 Feb 2017 19:20:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1924E286C6 for ; Sun, 19 Feb 2017 19:20:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751790AbdBSTU3 (ORCPT ); Sun, 19 Feb 2017 14:20:29 -0500 Received: from mail-wr0-f194.google.com ([209.85.128.194]:35215 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751382AbdBSTU2 (ORCPT ); Sun, 19 Feb 2017 14:20:28 -0500 Received: by mail-wr0-f194.google.com with SMTP id q39so9992490wrb.2; Sun, 19 Feb 2017 11:20:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=DYP93kar77CwNDQkPkU3kudprGuMznqpBO5GlhouXzo=; b=hMlurIVO+TA85M4i3Lb7n0UnciH3u+bjCk/Aza429dYIRHJfjz0dvBJYzDJDOS9wZh LFEQ1jWQNdwUhJIhLEp2kOrugh39oE4xqi0tEAXLFYVa1Y5a0nINV+m6iNVfWSqip1AM AOoQP0da311Ql8fpL1kSvakH7kav2Y767iq0L0dfpWrTmbozLapqFhkcB9MQXh6DDS2J V8ctRgDEKHmovUGP5FcvCdPT3cT7BY6KXEtScvM0YCdYXfmM+PHxbpPDuGzMwaTXLMvu gJSbURjxQ4ofipoTM7pWxVam9fmXBtcmf2mcYeoU/3r56pCLC2j2B4dwozRBj3qL/bg7 /0rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=DYP93kar77CwNDQkPkU3kudprGuMznqpBO5GlhouXzo=; b=bNjw70OaTnl/tOn2Tyk4g6VNP7uhCvYTc+KaQbd/qdqAyG7wnh9amNvBM7VPBnK762 oI8aZFwM39jkibtXAasz/W/o+CujIvzxg7YyIJfxqPe9EtU0sDxHlzyTtyLS/k97AmYh 7epV8ljqv1ixYUMl7WdwniKVvX3YU/kdiNhdCZqInLVrPQFu9XVHOupbcwl/onwWktDN oto3Wia+2C3lOwkEAfDWWexUCgdrDdhpw3ANhg8ES5b3iOPdt966CzOcdv2YNqPj/6Zc NHLaFrJk4B35p9C/RY1wHGriKQnVLtsZMf2T4Rfospy1N/SBHNTgCT88ZHybRhUoBj50 b7eA== X-Gm-Message-State: AMke39laSQ+blUgI/Ok1qXUU7KRQdRo/4/x/q12+hU8Zh3BPudPleoiszKxckrONdSSTdQ== X-Received: by 10.223.163.201 with SMTP id m9mr14400448wrb.66.1487531569071; Sun, 19 Feb 2017 11:12:49 -0800 (PST) Received: from localhost (x4e36b8a2.dyn.telefonica.de. [78.54.184.162]) by smtp.gmail.com with ESMTPSA id l7sm6998665wrl.59.2017.02.19.11.12.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 19 Feb 2017 11:12:48 -0800 (PST) From: Nicolai Stange To: Alexander Viro Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Nicolai Stange Subject: [PATCH] pipe: handle zero sized F_SETPIPE_SZ fcntl Date: Sun, 19 Feb 2017 20:12:30 +0100 Message-Id: <20170219191230.3206-1-nicstange@gmail.com> X-Mailer: git-send-email 2.11.1 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Syzkaller reported this UBSAN: Undefined behaviour in include/linux/log2.h:63:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x108/0x19b lib/dump_stack.c:51 ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 __ubsan_handle_shift_out_of_bounds+0x29c/0x300 lib/ubsan.c:421 __roundup_pow_of_two include/linux/log2.h:63 [inline] round_pipe_size fs/pipe.c:1049 [inline] pipe_set_size fs/pipe.c:1042 [inline] pipe_fcntl+0x12a/0x6e0 fs/pipe.c:1159 do_fcntl fs/fcntl.c:332 [inline] SYSC_fcntl fs/fcntl.c:372 [inline] SyS_fcntl+0xa90/0xb80 fs/fcntl.c:380 entry_SYSCALL_64_fastpath+0x1f/0xc2 after it had tried to do this: fcntl(fd, F_SETPIPE_SZ, 0); The reason is that round_pipe_size() rounds the requested size towards the next multiple of PAGE_SIZE and passes the thus resulting number of pages to roundup_pow_of_two(). Now, roundup_pow_of_two(0) is defined to be undefined. More specifically, roundup_pow_of_two(0) == 1UL << fls_long(-1) == 1UL << BITS_PER_LONG which evaluates to 1 on x86 (good), but to zero on ARMv7 (not good), for example. Whatever the resulting value is, pipe_set_size() will hand it to kcalloc(), so it should better be nonzero. Make round_pipe_size() handle the size == 0 case explicitly and let it return PAGE_SIZE then. Signed-off-by: Nicolai Stange Reviewed-by: Christoph Hellwig --- fs/pipe.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/pipe.c b/fs/pipe.c index 73b84baf58f8..2c88fa8cbe3b 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1024,6 +1024,9 @@ static inline unsigned int round_pipe_size(unsigned int size) { unsigned long nr_pages; + if (!size) + return PAGE_SIZE; + nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; return roundup_pow_of_two(nr_pages) << PAGE_SHIFT; }