forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UBSAN: signed-integer-overflow in ../drivers/tty/vt/vt.c:309:19 #351
Labels
[PATCH] Submitted
A patch has been submitted upstream
Comments
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this issue
May 6, 2024
Using the signed overflow sanitizer with syzkaller produces this UBSAN report: [ 31.304043] ------------[ cut here ]------------ [ 31.304048] UBSAN: signed-integer-overflow in ../drivers/tty/vt/vt.c:309:19 [ 31.304055] -2147483648 + -1073741824 cannot be represented in type 'int' [ 31.304066] CPU: 1 PID: 3894 Comm: syz-executor Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 [ 31.304073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.304077] Call Trace: [ 31.304080] <TASK> [ 31.304083] dump_stack_lvl+0x93/0xd0 [ 31.304177] handle_overflow+0x171/0x1b0 [ 31.304186] scrollfront+0xcb/0xd0 [ 31.304196] tioclinux+0x3cc/0x450 [ 31.304205] tty_ioctl+0x7fc/0xc00 [ 31.304212] ? __pfx_tty_ioctl+0x10/0x10 [ 31.304219] __se_sys_ioctl+0xe0/0x140 [ 31.304228] do_syscall_64+0xd7/0x1b0 [ 31.304236] ? arch_exit_to_user_mode_prepare+0x11/0x60 [ 31.304244] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 31.304254] RIP: 0033:0x7fc3902ae539 [ 31.304263] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8 [ 31.304282] RSP: 002b:00007ffc8a457998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 31.304289] RAX: ffffffffffffffda RBX: 00007fc3903e2f80 RCX: 00007fc3902ae539 [ 31.304293] RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000003 [ 31.304297] RBP: 00007fc39030d496 R08: 0000000000000000 R09: 0000000000000000 [ 31.304300] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.304304] R13: 0000000000000800 R14: 00007fc3903e2f80 R15: 00007fc3903e2f80 [ 31.304310] </TASK> [ 31.304371] ---[ end trace ]--- This is caused by the scrollback_delta overflowing. Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang; It being re-enabled in the kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow sanitizer"). Note that it would be difficult to reproduce this bug in a non-fuzzing scenario as it requires inputting tons of scroll inputs via keyboard before the scheduled console callback has had a chance to update. Nonetheless, let's saturate scrollback_delta so it stays clamped to integer bounds without wrapping around. [1]: llvm/llvm-project#82432 Closes: KSPP#351 Signed-off-by: Justin Stitt <justinstitt@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am sending a patch soon, this issue is for record keeping.
The text was updated successfully, but these errors were encountered: