| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68d8b60a.050a0220.25d7ab.046f.GAE@google.com> Date: Sat, 27 Sep 2025 21:14:02 -0700 From: syzbot <syzbot+270f1c719ee7baab9941@...kaller.appspotmail.com> To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, xandfury@...il.com Subject: Re: [syzbot] [scsi?] UBSAN: shift-out-of-bounds in sg_build_indirect Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: UBSAN: shift-out-of-bounds in sg_build_indirect ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/scsi/sg.c:1896:13 shift exponent 64 is too large for 32-bit type 'int' CPU: 0 UID: 0 PID: 6529 Comm: syz.0.16 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sg_build_indirect.cold+0x1b/0x20 drivers/scsi/sg.c:1896 sg_build_reserve+0xc4/0x180 drivers/scsi/sg.c:2006 sg_add_sfp drivers/scsi/sg.c:2188 [inline] sg_open+0xc88/0x1a10 drivers/scsi/sg.c:348 chrdev_open+0x234/0x6a0 fs/char_dev.c:414 do_dentry_open+0x97f/0x1530 fs/open.c:965 vfs_open+0x82/0x3f0 fs/open.c:1095 do_open fs/namei.c:3887 [inline] path_openat+0x1de4/0x2cb0 fs/namei.c:4046 do_filp_open+0x20b/0x470 fs/namei.c:4073 do_sys_openat2+0x11b/0x1d0 fs/open.c:1435 do_sys_open fs/open.c:1450 [inline] __do_sys_openat fs/open.c:1466 [inline] __se_sys_openat fs/open.c:1461 [inline] __x64_sys_openat+0x174/0x210 fs/open.c:1461 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fac63f8cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fac64de2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fac641a5fa0 RCX: 00007fac63f8cde9 RDX: 000000000008a002 RSI: 00004000000000c0 RDI: ffffffffffffff9c RBP: 00007fac6400e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fac641a5fa0 R15: 00007ffc0932dc28 </TASK> ---[ end trace ]--- Tested on: commit: 51a24b7d Merge tag 'trace-tools-v6.17-rc5' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1203df12580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c0765aa9a4a8b6b6 dashboard link: https://syzkaller.appspot.com/bug?extid=270f1c719ee7baab9941 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied.
Powered by blists - more mailing lists