lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1497358411-53071-1-git-send-email-zhongjiang@huawei.com>
Date:   Tue, 13 Jun 2017 20:53:31 +0800
From:   zhong jiang <zhongjiang@...wei.com>
To:     <akpm@...ux-foundation.org>, <jlayton@...hat.com>
CC:     <oleg@...hat.com>, <jslaby@...e.cz>, <viro@...iv.linux.org.uk>,
        <mhocko@...nel.org>, <vbabka@...e.cz>, <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] exit: avoid undefined behaviour when call wait4

From: zhongjiang <zhongjiang@...wei.com>

wait4(-2147483648, 0x20, 0, 0xdd0000) triggers:
UBSAN: Undefined behaviour in kernel/exit.c:1651:9

The related calltrace is as follows:

[518871.435738] negation of -2147483648 cannot be represented in type 'int':
[518871.442618] CPU: 9 PID: 16482 Comm: zj Tainted: G    B          ---- -------   3.10.0-327.53.58.71.x86_64+ #66
[518871.452874] Hardware name: Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA              , BIOS CTSAV036 04/27/2011
[518871.464690]  ffffffff82599190 000000008b740a25 ffff880112447d90 ffffffff81d6eb16
[518871.472395]  ffff880112447da8 ffffffff81d6ebc9 ffffffff82599180 ffff880112447e98
[518871.480101]  ffffffff81d6fc99 0000000041b58ab3 ffffffff8228d698 ffffffff81d6fb90
[518871.487801] Call Trace:
[518871.490435]  [<ffffffff81d6eb16>] dump_stack+0x19/0x1b
[518871.495751]  [<ffffffff81d6ebc9>] ubsan_epilogue+0xd/0x50
[518871.501328]  [<ffffffff81d6fc99>] __ubsan_handle_negate_overflow+0x109/0x14e
[518871.508548]  [<ffffffff81d6fb90>] ? __ubsan_handle_divrem_overflow+0x1df/0x1df
[518871.516041]  [<ffffffff8116e0d4>] ? lg_local_lock+0x24/0xb0
[518871.521785]  [<ffffffff8116e640>] ? lg_local_unlock+0x20/0xd0
[518871.527708]  [<ffffffff81366fa0>] ? __pmd_alloc+0x180/0x180
[518871.533458]  [<ffffffff8143f81b>] ? mntput+0x3b/0x70
[518871.538598]  [<ffffffff8110d7bb>] SyS_wait4+0x1cb/0x1e0
[518871.543999]  [<ffffffff8110d5f0>] ? SyS_waitid+0x220/0x220
[518871.549661]  [<ffffffff8123bb57>] ? __audit_syscall_entry+0x1f7/0x2a0
[518871.556278]  [<ffffffff81d91109>] system_call_fastpath+0x16/0x1b

The patch by excluding the overflow to avoid the UBSAN warning.

Signed-off-by: zhong jiang <zhongjiang@...wei.com>
---
 kernel/exit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/exit.c b/kernel/exit.c
index 516acdb..cfe70cf 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1701,6 +1701,10 @@ static long do_wait(struct wait_opts *wo)
 	if (upid == -1)
 		type = PIDTYPE_MAX;
 	else if (upid < 0) {
+		/* -INT_MIN is not defined */
+		if (upid == INT_MIN)
+			return -ESRCH;
+
 		type = PIDTYPE_PGID;
 		pid = find_get_pid(-upid);
 	} else if (upid == 0) {
-- 
1.7.12.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ