lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202410281544.bd98d329-lkp@intel.com>
Date: Tue, 29 Oct 2024 13:04:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kees Cook <keescook@...omium.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
	Miguel Ojeda <ojeda@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
	"Peter Zijlstra" <peterz@...radead.org>, Hao Luo <haoluo@...gle.com>, Marco
 Elver <elver@...gle.com>, Justin Stitt <justinstitt@...gle.com>,
	<kasan-dev@...glegroups.com>, <linux-hardening@...r.kernel.org>,
	<linux-kbuild@...r.kernel.org>, <oliver.sang@...el.com>
Subject: [linus:master] [ubsan]  557f8c582a:
 UBSAN:signed-integer-overflow_in_fs/sync.c



Hello,


for this "ubsan: Reintroduce signed overflow sanitizer" change, we really
noticed some UBSAN issues start to appear

918327e9b7ffb453 557f8c582a9ba8abe6aa0fd734b
---------------- ---------------------------
       fail:runs  %reproduction    fail:runs
           |             |             |
           :20          50%          10:20    dmesg.UBSAN:signed-integer-overflow_in_arch/x86/include/asm/atomic.h
           :20          10%           2:20    dmesg.UBSAN:signed-integer-overflow_in_fs/open.c
           :20           5%           1:20    dmesg.UBSAN:signed-integer-overflow_in_fs/read_write.c
           :20          50%          10:20    dmesg.UBSAN:signed-integer-overflow_in_fs/sync.c
           :20          85%          17:20    dmesg.UBSAN:signed-integer-overflow_in_include/linux/atomic/atomic-arch-fallback.h

it's out of our scope to backport this change then to find out the real first
bad commits which introduce these issues.

just made out below report FYI what we observed in our tests.


kernel test robot noticed "UBSAN:signed-integer-overflow_in_fs/sync.c" on:

commit: 557f8c582a9ba8abe6aa0fd734b6f342af106b26 ("ubsan: Reintroduce signed overflow sanitizer")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

[test failed on linus/master      850925a8133c73c4a2453c360b2c3beb3bab67c9]
[test failed on linux-next/master a39230ecf6b3057f5897bc4744a790070cfbe7a8]


in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:

	runtime: 600s



config: i386-randconfig-141-20241024
compiler: clang-19
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410281544.bd98d329-lkp@intel.com


[  215.770370][  T642] ------------[ cut here ]------------
[  215.777621][  T642] UBSAN: signed-integer-overflow in fs/sync.c:240:19
[  215.788285][  T642] 1880844493352075409 + 8608480566024911059 cannot be represented in type 'loff_t' (aka 'long long')
[  215.801598][  T642] CPU: 0 PID: 642 Comm: trinity-c7 Tainted: G                T  6.8.0-rc2-00013-g557f8c582a9b #1
[  215.817967][  T642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  215.830638][  T642] Call Trace:
[ 215.834397][ T642] dump_stack_lvl (lib/dump_stack.c:107) 
[ 215.839685][ T642] dump_stack (lib/dump_stack.c:113) 
[ 215.844573][ T642] handle_overflow (lib/ubsan.c:218 lib/ubsan.c:248) 
[ 215.850605][ T642] __ubsan_handle_add_overflow (lib/ubsan.c:255) 
[ 215.857665][ T642] sync_file_range (fs/sync.c:?) 
[ 215.863236][ T642] ? do_int80_syscall_32 (arch/x86/entry/common.c:278) 
[ 215.869588][ T642] ksys_sync_file_range (fs/sync.c:364) 
[ 215.875456][ T642] __ia32_sys_ia32_sync_file_range (arch/x86/kernel/sys_ia32.c:107) 
[ 215.886149][ T642] do_int80_syscall_32 (arch/x86/entry/common.c:?) 
[ 215.892113][ T642] ? syscall_exit_to_user_mode (kernel/entry/common.c:215) 
[ 215.899078][ T642] ? do_int80_syscall_32 (arch/x86/entry/common.c:278) 
[ 215.905299][ T642] ? irqentry_exit_to_user_mode (kernel/entry/common.c:228) 
[ 215.912366][ T642] ? irqentry_exit (kernel/entry/common.c:361) 
[ 215.917978][ T642] ? sysvec_call_function_single (arch/x86/kernel/apic/apic.c:1076) 
[ 215.925139][ T642] entry_INT80_32 (arch/x86/entry/entry_32.S:947) 
[  215.931354][  T642] EIP: 0xb7fcc092
[ 215.936180][ T642] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	00 e9                	add    %ch,%cl
   4:	90                   	nop
   5:	ff                   	(bad)
   6:	ff                   	(bad)
   7:	ff                   	(bad)
   8:	ff a3 24 00 00 00    	jmp    *0x24(%rbx)
   e:	68 30 00 00 00       	push   $0x30
  13:	e9 80 ff ff ff       	jmp    0xffffffffffffff98
  18:	ff a3 f8 ff ff ff    	jmp    *-0x8(%rbx)
  1e:	66 90                	xchg   %ax,%ax
	...
  28:	cd 80                	int    $0x80
  2a:*	c3                   	ret		<-- trapping instruction
  2b:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  32:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  38:	8b 1c 24             	mov    (%rsp),%ebx
  3b:	c3                   	ret
  3c:	8d                   	.byte 0x8d
  3d:	b4 26                	mov    $0x26,%ah
	...

Code starting with the faulting instruction
===========================================
   0:	c3                   	ret
   1:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
   8:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   e:	8b 1c 24             	mov    (%rsp),%ebx
  11:	c3                   	ret
  12:	8d                   	.byte 0x8d
  13:	b4 26                	mov    $0x26,%ah
	...
[  215.959775][  T642] EAX: ffffffda EBX: 00000167 ECX: 00000091 EDX: 1a1a1a1a
[  215.968070][  T642] ESI: 11c4b8d3 EDI: 77777777 EBP: 00000000 ESP: bfafd7a8
[  215.976212][  T642] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[  216.099174][    T1] sbc7240_wdt: timeout value must be 1<=x<=255
[  216.190859][  T642] ---[ end trace ]---



[  274.950074][    C0] ------------[ cut here ]------------
[  274.956226][    C0] UBSAN: signed-integer-overflow in arch/x86/include/asm/atomic.h:85:11
[  274.966763][    C0] -560020972 + -1641070746 cannot be represented in type 'int'
[  275.004321][    C0] CPU: 0 PID: 1058 Comm: trinity-c4 Tainted: G                T  6.8.0-rc2-00013-g557f8c582a9b #1
[  275.014695][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  275.024834][    C0] Call Trace:
[  275.028200][    C0]  <SOFTIRQ>
[  275.031444][    C0]  dump_stack_lvl+0x77/0xb0
[  275.035949][    C0]  dump_stack+0xd/0x14
[  275.039999][    C0]  handle_overflow+0x279/0x2a0
[  275.044833][    C0]  __ubsan_handle_add_overflow+0x10/0x20
[  275.050399][    C0]  __ip_select_ident+0xe1/0x100
[  275.055298][    C0]  ip_select_ident_segs+0xb8/0x110
[  275.060353][    C0]  __ip_make_skb+0x257/0x390
[  275.064951][    C0]  ip_push_pending_frames+0x1b/0x40
[  275.070103][    C0]  icmp_push_reply+0xc8/0x100
[  275.074775][    C0]  __icmp_send+0x47e/0x4d0
[  275.079534][    C0]  __udp4_lib_rcv+0x609/0x6e0
[  275.084394][    C0]  udplite_rcv+0x17/0x20
[  275.088608][    C0]  ip_protocol_deliver_rcu+0xe4/0x390
[  275.093960][    C0]  ? ip_local_deliver+0x150/0x150
[  275.099299][    C0]  ip_local_deliver+0xe8/0x150
[  275.104613][    C0]  ip_rcv_finish+0x73/0x90
[  275.109057][    C0]  ip_rcv+0x1f/0x30
[  275.112983][    C0]  __netif_receive_skb+0x6e/0x120
[  275.118031][    C0]  process_backlog+0x1a7/0x250
[  275.123224][    C0]  __napi_poll+0x2a/0x1f0
[  275.127626][    C0]  net_rx_action+0x138/0x2a0
[  275.132262][    C0]  __do_softirq+0x11f/0x41f
[  275.136794][    C0]  ? do_softirq_own_stack+0x55/0x60
[  275.141921][    C0]  ? queued_write_lock_slowpath+0x13c/0x13c
[  275.147853][    C0]  do_softirq_own_stack+0x55/0x60
[  275.152840][    C0]  </SOFTIRQ>
[  275.156181][    C0]  do_softirq+0x46/0x90
[  275.160351][    C0]  __local_bh_enable_ip+0xe0/0x110
[  275.165410][    C0]  local_bh_enable+0x12/0x20
[  275.170019][    C0]  __dev_queue_xmit+0x5bd/0x950
[  275.174874][    C0]  ? read_seqbegin+0x78/0xc0
[  275.179543][    C0]  ? neigh_resolve_output+0xec/0x180
[  275.184754][    C0]  ? trace_hardirqs_on+0x56/0xa0
[  275.189687][    C0]  ? of_get_ethdev_address+0x50/0x50
[  275.194928][    C0]  neigh_resolve_output+0x133/0x180
[  275.200083][    C0]  ? eth_header_parse+0x30/0x30
[  275.204881][    C0]  ip_finish_output2+0x598/0x6c0
[  275.209806][    C0]  ? ip_finish_output+0x47/0x110
[  275.214703][    C0]  ? __local_bh_enable_ip+0xb0/0x110
[  275.220076][    C0]  ip_finish_output+0x47/0x110
[  275.224815][    C0]  ip_output+0x49/0x60
[  275.228926][    C0]  ip_local_out+0x74/0xa0
[  275.233397][    C0]  ip_send_skb+0x18/0x110
[  275.237738][    C0]  udp_send_skb+0x2d7/0x350
[  275.242281][    C0]  udp_sendmsg+0x9c2/0xa70
[  275.246883][    C0]  ? udp_sendmsg+0xa70/0xa70
[  275.251648][    C0]  ? udp_cmsg_send+0xd0/0xd0
[  275.256670][    C0]  inet_sendmsg+0xa6/0xb0
[  275.261266][    C0]  __sock_sendmsg+0x48/0x80
[  275.265773][    C0]  ____sys_sendmsg+0x13b/0x1e0
[  275.270597][    C0]  __sys_sendmsg+0x18b/0x1c0
[  275.275597][    C0]  __ia32_sys_sendmsg+0x1a/0x20
[  275.280454][    C0]  do_int80_syscall_32+0xe7/0x12c
[  275.285440][    C0]  ? syscall_exit_to_user_mode+0xf0/0x100
[  275.291087][    C0]  ? do_int80_syscall_32+0xf1/0x12c
[  275.296333][    C0]  ? rcu_lock_acquire+0x30/0x30
[  275.301222][    C0]  ? syscall_exit_to_user_mode+0xf0/0x100
[  275.306894][    C0]  ? do_int80_syscall_32+0xf1/0x12c
[  275.312116][    C0]  ? do_int80_syscall_32+0xf1/0x12c
[  275.317262][    C0]  ? syscall_exit_to_user_mode+0xf0/0x100
[  275.322879][    C0]  ? do_int80_syscall_32+0xf1/0x12c
[  275.328094][    C0]  ? do_int80_syscall_32+0xf1/0x12c
[  275.333216][    C0]  ? irqentry_exit_to_user_mode+0xe4/0xf4
[  275.338851][    C0]  ? irqentry_exit+0x56/0x88
[  275.343455][    C0]  ? sysvec_call_function_single+0x30/0x30
[  275.349279][    C0]  entry_INT80_32+0x125/0x125
[  275.353945][    C0] EIP: 0xb7fcc092
[  275.357581][    C0] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
[  275.376574][    C0] EAX: ffffffda EBX: 00000134 ECX: 01f07b00 EDX: 00000000
[  275.383603][    C0] ESI: fffffffc EDI: 85858585 EBP: fffffffe ESP: bfafd7a8
[  275.390502][    C0] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[  275.400392][    C0] ---[ end trace ]---



The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241028/202410281544.bd98d329-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ