From patchwork Thu Dec 7 13:19:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ding Tianhong X-Patchwork-Id: 120970 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp8347275qgn; Thu, 7 Dec 2017 05:20:22 -0800 (PST) X-Google-Smtp-Source: AGs4zMY30zdxWF+NOAA+vbpX7f4MHhRPR1V+jjknL5JW3KWne3QSy8lWMAQpI3gJKv0EX0/WPfpI X-Received: by 10.99.8.4 with SMTP id 4mr25293249pgi.28.1512652822649; Thu, 07 Dec 2017 05:20:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1512652822; cv=none; d=google.com; s=arc-20160816; b=G8eDEsH8cRctvYyUsy0JLLUyZjIlkfinoi3AsAORftIDlETQdsyOci1YUhmntCFa51 6UtfxnYdkZPAQ38/He1Yn3q7h4CtKEhoJLZcoWcIIrlKSphk9FWm7KeyVuGklebvzzSw I+n2idJFu82KgojwVnRnkWJQ6hBsqeKmgox26ubK7/iMMySdvASGDnLKSiZoGmrpAWIp 57oLWf+xHuTuC+hadNORKGRdEDWbUv14uPY4II7IO+HQQ0ZmfX465QhueiiqZ7pD3BFA tAvcRfha3Dsc1fRRVZqtlUEs3sxr3it0pQyso1n4iE1k25bKcr9sjpSQm595xcLM6iJg hLVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:date:message-id:subject:from:to :arc-authentication-results; bh=2AaJZVEt6B6J3Uyz5zJkaxqGJYqqDwX9Njm5U10kni8=; b=FCiT2bYd2pM5NFKx2TTKH+4p5yq1GHc+TBlNVsp+M5HkbTPS8oTr4qEg4Q28Z4rZ9v Itj+fn8n3b+GX1ux7u9xMAuYUPZew7D3ymFN0diD4eeLzW1o1AGnkvyj9hLJbgFR7wzB lGu2eSeSFP/DZTpnGfxCwUbIvQU0DZPN64tosKS/6lm7t+itMKqYBdI1eVTU01Qkt+Dl YCfb4F6vk+bZLa3z24ub+5hhlgofZG2ZL3xzrHWOUN8oH49oqJHk1juWLoAlbRrmJCbe ERV+CT/QDdVeHsTOz3riFQPT/XnTkw0kfZsOxEKDLGLHcjPfH8HdrdN13zHZ5tMeriDi aumw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h71si3630642pge.146.2017.12.07.05.20.22; Thu, 07 Dec 2017 05:20:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932547AbdLGNUU (ORCPT + 22 others); Thu, 7 Dec 2017 08:20:20 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:57995 "EHLO huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S932503AbdLGNUR (ORCPT ); Thu, 7 Dec 2017 08:20:17 -0500 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id D146BC49FD02B; Thu, 7 Dec 2017 21:20:03 +0800 (CST) Received: from [127.0.0.1] (10.177.23.32) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.361.1; Thu, 7 Dec 2017 21:19:55 +0800 To: Al Viro , , "linux-kernel@vger.kernel.org" , LinuxArm From: Ding Tianhong Subject: [PATCH] fs: Fix signed integer overflow for vfs_setpos Message-ID: Date: Thu, 7 Dec 2017 21:19:10 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 X-Originating-IP: [10.177.23.32] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The undefined behaviour sanatizer detected an signed integer overflow like this: r0 = memfd_create(&(0x7f0000002000-0x12)="2e726571756573745f6b65795f6175746800",0x0) lseek(r0, 0x4040000000000000, 0x1) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f000000b000-0xd)={@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x9, 0x1, 0xff, 0x2, 0x6, 0x1,0xd27}, 0x20) mmap(&(0x7f000000e000/0x1000)=nil, 0x1000, 0x3, 0x32,0xffffffffffffffff, 0x0) ioctl$sock_SIOCGSKNS(r0, 0x894c, &(0x7f000000f000-0x4)=0x10000) --------------------------------------------------------------------------------- UBSAN: Undefined behaviour in fs/read_write.c:107:12 signed integer overflow: 4629700416936869888 + 4629700416936869888 cannot be represented in type 'long long int' CPU: 0 PID: 11653 Comm: syz-executor0 Not tainted 4.x.xx+ #2 Hardware name: linux,dummy-virt (DT) Call trace: [] dump_backtrace+0x0/0x2a0 [] show_stack+0x20/0x30 [] dump_stack+0x11c/0x16c [] ubsan_epilogue+0x18/0x70 [] handle_overflow+0x14c/0x188 [] __ubsan_handle_add_overflow+0x34/0x44 [] generic_file_llseek_size+0x1f8/0x2a0 [] shmem_file_llseek+0x7c/0x1f8 [] SyS_lseek+0xc0/0x118 -------------------------------------------------------------------------------- The problem happened because the calculation of signed integer resulted an overflow for the signed integer, so use the unsigned integer to avoid undefined behaviour when it does overflow. Signed-off-by: Ding Tianhong --- fs/read_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.8.3.1 diff --git a/fs/read_write.c b/fs/read_write.c index f8547b8..2c377fc 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -105,7 +105,7 @@ loff_t vfs_setpos(struct file *file, loff_t offset, loff_t maxsize) * like SEEK_SET. */ spin_lock(&file->f_lock); - offset = vfs_setpos(file, file->f_pos + offset, maxsize); + offset = vfs_setpos(file, (u64)file->f_pos + offset, maxsize); spin_unlock(&file->f_lock); return offset; case SEEK_DATA: