| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Aug 2021 20:08:30 -0500
From: Steve French <smfrench@...il.com>
To: linux-mm <linux-mm@...ck.org>
Cc: linux-fsdevel <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: signed integer overflow bug in truncate_pagecache
Running a debug build of the kernel while running regression tests for
cifs.ko on 5.11, I noticed this message logged which looks like it is
still a probably valid bug in truncate_pagecache in mm/truncate.c in
current kernel as well
loff_t holebegin = round_up(newsize, PAGE_SIZE);
This was what was in dmesg:
[23907.325526] UBSAN: signed-integer-overflow in mm/truncate.c:833:9
[23907.325532] 9223372036854775807 + 1 cannot be represented in type
'long long int'
[23907.325536] CPU: 2 PID: 13007 Comm: xfs_io Not tainted 5.11.22 #1
[23907.325540] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[23907.325543] Call Trace:
[23907.325548] dump_stack+0x8d/0xb5
[23907.325560] ubsan_epilogue+0x5/0x50
[23907.325568] handle_overflow+0xa3/0xb0
[23907.325581] truncate_pagecache+0x8a/0x90
[23907.325587] cifs_set_file_size+0xdb/0x2c0 [cifs]
[23907.325749] cifs_setattr+0xc93/0x1260 [cifs]
[23907.325799] notify_change+0x35b/0x4a0
[23907.325811] ? do_truncate+0x5e/0x90
[23907.325817] do_truncate+0x5e/0x90
[23907.325828] do_sys_ftruncate+0x143/0x280
[23907.325837] do_syscall_64+0x33/0x40
[23907.325842] entry_SYSCALL_64_after_hwframe+0x44/0xa9
--
Thanks,
Steve
Powered by blists - more mailing lists