[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200522001020.GA89269@dtor-ws>
Date: Thu, 21 May 2020 17:10:20 -0700
From: Dmitry Torokhov <dmitry.torokhov@...il.com>
To: Kyungtae Kim <kt0755@...il.com>
Cc: Greg KH <gregkh@...uxfoundation.org>, Jiri Slaby <jslaby@...e.com>,
syzkaller <syzkaller@...glegroups.com>,
LKML <linux-kernel@...r.kernel.org>,
Dave Tian <dave.jing.tian@...il.com>
Subject: Re: [PATCH] vt: keyboard: avoid integer overflow in k_ascii
On Thu, May 21, 2020 at 11:31:39PM +0000, Kyungtae Kim wrote:
> On Wed, May 20, 2020 at 11:36:02PM -0700, Dmitry Torokhov wrote:
> > Hi,
> >
> > On Thu, May 21, 2020 at 01:34:08AM +0000, Kyungtae Kim wrote:
> > > FuzzUSB (a variant of syzkaller) found an integer overflow
> > > while processing keycode value.
> > >
> > > Reference: https://lkml.org/lkml/2020/3/22/482
> > >
> > > This bug occurs because of no validity check when operating keycode values.
> > > By executing k_ascii() multiple times, npadch can have a large value
> > > close to the max of int type e.g., 1111111111.
> > > In the following, its muliplication causes an integer overflow.
> > >
> > > This fix prevents the overflow by checking npadch using check_mul_overflow()
> > > ahead of its operation.
> > >
> > >
> > > UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19
> > > signed integer overflow:
> > > 10 * 1111111111 cannot be represented in type 'int'
> > > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > > Call Trace:
> > > <IRQ>
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0xce/0x128 lib/dump_stack.c:118
> > > ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
> > > handle_overflow+0xdc/0xf0 lib/ubsan.c:184
> > > __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
> > > k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
> > > kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
> > > kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
> > > input_to_handler+0x3a9/0x4b0 drivers/input/input.c:118
> > > input_pass_values.part.8+0x25e/0x690 drivers/input/input.c:145
> > > input_pass_values drivers/input/input.c:193 [inline]
> > > input_repeat_key+0x1f8/0x2c0 drivers/input/input.c:194
> > > call_timer_fn+0x20e/0x770 kernel/time/timer.c:1404
> > > expire_timers kernel/time/timer.c:1449 [inline]
> > > __run_timers kernel/time/timer.c:1773 [inline]
> > > run_timer_softirq+0x63f/0x13c0 kernel/time/timer.c:1786
> > > __do_softirq+0x262/0xb46 kernel/softirq.c:292
> > > invoke_softirq kernel/softirq.c:373 [inline]
> > > irq_exit+0x161/0x1b0 kernel/softirq.c:413
> > > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > > smp_apic_timer_interrupt+0x137/0x500 arch/x86/kernel/apic/apic.c:1146
> > > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > > </IRQ>
> > > RIP: 0010:default_idle+0x2d/0x2e0 arch/x86/kernel/process.c:696
> > > Code: e5 41 57 41 56 65 44 8b 35 30 9d 5d 7a 41 55 41 54 53 0f 1f 44 00 00 e8 11 42 a4 fb e9 07 00 00 00 0f 00 2d d5 29 5e 00 fb f4 <65> 44 8b 35 0b 9d 5d 7a 0f 1f 44 00 00 5b 41 5c 41 5d 41 5e 41 5f
> > > RSP: 0018:ffffffff87007ce8 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
> > > RAX: 0000000000000007 RBX: ffffffff87032900 RCX: 0000000000000000
> > > RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff87033154
> > > RBP: ffffffff87007d10 R08: fffffbfff0e06521 R09: 0000000000000000
> > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > > R13: ffffffff88c99c00 R14: 0000000000000000 R15: 0000000000000000
> > > arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:686
> > > default_idle_call+0x50/0x70 kernel/sched/idle.c:94
> > > cpuidle_idle_call kernel/sched/idle.c:154 [inline]
> > > do_idle+0x332/0x530 kernel/sched/idle.c:269
> > > cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:361
> > > rest_init+0x240/0x3d0 init/main.c:660
> > > arch_call_rest_init+0xe/0x1b
> > > start_kernel+0x7f6/0x81e init/main.c:997
> > > x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:490
> > > x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:471
> > > secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
> > >
> > >
> > > Signed-off-by: Kyungtae Kim <kt0755@...il.com>
> > > Reported-and-tested-by: Kyungtae Kim <kt0755@...il.com>
> > >
> > > ---
> > > drivers/tty/vt/keyboard.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> > > index 15d33fa0c925..f7e1bb21bd9c 100644
> > > --- a/drivers/tty/vt/keyboard.c
> > > +++ b/drivers/tty/vt/keyboard.c
> > > @@ -869,6 +869,7 @@ static void k_meta(struct vc_data *vc, unsigned char value, char up_flag)
> > > static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
> > > {
> > > int base;
> > > + int bytes;
> > >
> > > if (up_flag)
> > > return;
> > > @@ -884,6 +885,8 @@ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
> > >
> > > if (npadch == -1)
> > > npadch = value;
> > > + else if (check_mul_overflow(npadch, base, &bytes) || check_add_overflow(bytes, value, &bytes))
> > > + return;
> >
> > Why do we discard the result of calculation and repeat it again below?
> > Can we say
> >
> > else if (check_mul_overflow(npadch, base, &new_npadch) ||
> > check_add_overflow(new_npadch, value, &new_npadch))
Sorry, this should have been
!check...() && !check_(...)
> > npadch = new_npadch;
> >
> > Thanks.
> >
> > --
> > Dmitry
>
> Yes. This looks better.
>
> Thanks,
> Kyungtae Kim
Thanks.
--
Dmitry
Powered by blists - more mailing lists