| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e6987f0268bd7bceddbd6ec53fa174d07cfa3114.camel@ibm.com>
Date: Thu, 18 Sep 2025 18:07:23 +0000
From: Viacheslav Dubeyko <Slava.Dubeyko@....com>
To: "ceph-devel@...r.kernel.org" <ceph-devel@...r.kernel.org>,
"lyican53@...il.com" <lyican53@...il.com>
CC: "idryomov@...il.com" <idryomov@...il.com>, Xiubo Li <xiubli@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ceph: Fix potential undefined behavior in crush_ln()
with GCC 11.1.0
On Thu, 2025-09-18 at 09:50 +0800, 陈华昭(Lyican) wrote:
> When compiled with GCC 11.1.0 and -march=x86-64-v3 -O1 optimization flags,
> __builtin_clz() may generate BSR instructions without proper zero handling.
> The BSR instruction has undefined behavior when the source operand is zero,
> which could occur when (x & 0x1FFFF) equals 0 in the crush_ln() function.
>
> This issue is documented in GCC bug 101175:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101175
>
> The problematic code path occurs in crush_ln() when:
> - x is incremented from xin
> - (x & 0x18000) == 0 (condition for the optimization)
> - (x & 0x1FFFF) == 0 (zero argument to __builtin_clz)
>
> Testing with GCC 11.5.0 confirms that specific input values like 0x7FFFF,
> 0x9FFFF, 0xBFFFF, 0xDFFFF, 0xFFFFF can trigger this condition, causing
> __builtin_clz(0) to be called with undefined behavior.
>
> Add a zero check before calling __builtin_clz() to ensure defined behavior
> across all GCC versions and optimization levels.
>
> Signed-off-by: Huazhao Chen <lyican53@...il.com>
> ---
> net/ceph/crush/mapper.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ceph/crush/mapper.c b/net/ceph/crush/mapper.c
> index 1234567..abcdef0 100644
> --- a/net/ceph/crush/mapper.c
> +++ b/net/ceph/crush/mapper.c
> @@ -262,7 +262,8 @@ static __u64 crush_ln(unsigned int xin)
> * do it in one step instead of iteratively
> */
> if (!(x & 0x18000)) {
> - int bits = __builtin_clz(x & 0x1FFFF) - 16;
> + u32 masked = x & 0x1FFFF;
> + int bits = masked ? __builtin_clz(masked) - 16 : 16;
> x <<= bits;
> iexpon = 15 - bits;
> }
Unfortunately, I am failing to apply the patch:
git am
./20250918_lyican53_ceph_fix_potential_undefined_behavior_in_crush_ln_with_gcc_1
1_1_0.mbx
Applying: ceph: Fix potential undefined behavior in crush_ln() with GCC 11.1.0
error: corrupt patch at line 10
Patch failed at 0001 ceph: Fix potential undefined behavior in crush_ln() with
GCC 11.1.0
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
I am applying the patch on commit f83ec76bf285bea5727f478a68b894f5543ca76e:
Author: Linus Torvalds <torvalds@...ux-foundation.org>
Date: Sun Sep 14 14:21:14 2025 -0700
Linux 6.17-rc6
Which kernel version do you have?
Thanks,
Slava.
Powered by blists - more mailing lists