lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1573867464-5107-1-git-send-email-chenjun102@huawei.com>
Date:   Fri, 15 Nov 2019 20:24:24 -0500
From:   Chen Jun <chenjun102@...wei.com>
To:     Hugh Dickins <hughd@...gle.com>, <linux-mm@...ck.org>
CC:     Andrew Morton <akpm@...ux-foundation.org>,
        <linux-kernel@...r.kernel.org>, <wangkefeng.wang@...wei.com>
Subject: [PATCH] mm: Cast the type of unmap_start to u64

In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE,
which equal LLONG_MAX.
If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in
shmem_fallocate, which will pass the checking in vfs_fallocate.
	/* Check for wrap through zero too */
	if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
		return -EFBIG;

loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate
causes a overflow.

Syzkaller reports a overflow problem in mm/shmem:
UBSAN: Undefined behaviour in mm/shmem.c:2014:10
signed integer overflow:
'9223372036854775807 + 1' cannot be represented in type 'long long int'
CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1
Hardware name: linux, dummy-virt (DT)
Call trace:
[<ffff800000092150>] dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100
[<ffff800000092438>] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238
[<ffff800000f9b134>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffff800000f9b134>] ubsan_epilogue+0x18/0x70 lib/ubsan.c:164
[<ffff800000f9b468>] handle_overflow+0x158/0x1b0 lib/ubsan.c:195
[<ffff800000341280>] shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104
[<ffff8000003ee008>] vfs_fallocate+0x238/0x428 fs/open.c:312
[<ffff8000003ef72c>] SYSC_fallocate fs/open.c:335 [inline]
[<ffff8000003ef72c>] SyS_fallocate+0x54/0xc8 fs/open.c:239

The highest bit of unmap_start will be appended with sign bit 1 (overflow)
when calculate shmem_falloc.start:
shmem_falloc.start = unmap_start >> PAGE_SHIFT.

Fix it by casting the type of unmap_start to u64, when right shifted.

This bug is found in LTS Linux 4.1. It also seems to exist in mainline.

Signed-off-by: Chen Jun <chenjun102@...wei.com>
---
 mm/shmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/shmem.c b/mm/shmem.c
index e9342c3..82cebbc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2717,7 +2717,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
 		}
 
 		shmem_falloc.waitq = &shmem_falloc_waitq;
-		shmem_falloc.start = unmap_start >> PAGE_SHIFT;
+		shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
 		shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
 		spin_lock(&inode->i_lock);
 		inode->i_private = &shmem_falloc;
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ