2024-05-06 18:55:30

by Justin Stitt

[permalink] [raw]
Subject: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

Using the signed overflow sanitizer with syzkaller produces this UBSAN
report:

[ 31.304043] ------------[ cut here ]------------
[ 31.304048] UBSAN: signed-integer-overflow in ../drivers/tty/vt/vt.c:309:19
[ 31.304055] -2147483648 + -1073741824 cannot be represented in type 'int'
[ 31.304066] CPU: 1 PID: 3894 Comm: syz-executor Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 31.304073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 31.304077] Call Trace:
[ 31.304080] <TASK>
[ 31.304083] dump_stack_lvl+0x93/0xd0
[ 31.304177] handle_overflow+0x171/0x1b0
[ 31.304186] scrollfront+0xcb/0xd0
[ 31.304196] tioclinux+0x3cc/0x450
[ 31.304205] tty_ioctl+0x7fc/0xc00
[ 31.304212] ? __pfx_tty_ioctl+0x10/0x10
[ 31.304219] __se_sys_ioctl+0xe0/0x140
[ 31.304228] do_syscall_64+0xd7/0x1b0
[ 31.304236] ? arch_exit_to_user_mode_prepare+0x11/0x60
[ 31.304244] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 31.304254] RIP: 0033:0x7fc3902ae539
[ 31.304263] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
[ 31.304282] RSP: 002b:00007ffc8a457998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 31.304289] RAX: ffffffffffffffda RBX: 00007fc3903e2f80 RCX: 00007fc3902ae539
[ 31.304293] RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000003
[ 31.304297] RBP: 00007fc39030d496 R08: 0000000000000000 R09: 0000000000000000
[ 31.304300] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 31.304304] R13: 0000000000000800 R14: 00007fc3903e2f80 R15: 00007fc3903e2f80
[ 31.304310] </TASK>
[ 31.304371] ---[ end trace ]---

This is caused by the scrollback_delta overflowing. Historically, the
signed integer overflow sanitizer did not work in the kernel due to its
interaction with `-fwrapv` but this has since been changed [1] in the
newest version of Clang; It being re-enabled in the kernel with Commit
557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer").

Note that it would be difficult to reproduce this bug in a non-fuzzing
scenario as it requires inputting tons of scroll inputs via keyboard
before the scheduled console callback has had a chance to update.
Nonetheless, let's saturate scrollback_delta so it stays clamped to
integer bounds without wrapping around.

[1]: https://github.com/llvm/llvm-project/pull/82432

Closes: https://github.com/KSPP/linux/issues/351
Signed-off-by: Justin Stitt <[email protected]>
---
Note: I am using Kees' SIO tree as a base:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v6.8-rc2/signed-overflow-sanitizer
---
drivers/tty/vt/vt.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 9b5b98dfc8b4..b4768336868e 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -308,7 +308,14 @@ static inline void scrolldelta(int lines)
/* FIXME */
/* scrolldelta needs some kind of consistency lock, but the BKL was
and still is not protecting versus the scheduled back end */
- scrollback_delta += lines;
+
+ /* saturate scrollback_delta so that it never wraps around */
+ if (lines > 0 && unlikely(INT_MAX - lines < scrollback_delta))
+ scrollback_delta = INT_MAX;
+ else if (lines < 0 && unlikely(INT_MIN - lines > scrollback_delta))
+ scrollback_delta = INT_MIN;
+ else
+ scrollback_delta += lines;
schedule_console_callback();
}


---
base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc
change-id: 20240506-b4-sio-scrollback-delta-dff9aabace26

Best regards,
--
Justin Stitt <[email protected]>



2024-05-09 06:31:16

by Jiri Slaby

[permalink] [raw]
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

On 06. 05. 24, 20:55, Justin Stitt wrote:
> Using the signed overflow sanitizer with syzkaller produces this UBSAN
> report:
>
> [ 31.304043] ------------[ cut here ]------------
> [ 31.304048] UBSAN: signed-integer-overflow in ../drivers/tty/vt/vt.c:309:19
> [ 31.304055] -2147483648 + -1073741824 cannot be represented in type 'int'
> [ 31.304066] CPU: 1 PID: 3894 Comm: syz-executor Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
> [ 31.304073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 31.304077] Call Trace:
> [ 31.304080] <TASK>
> [ 31.304083] dump_stack_lvl+0x93/0xd0
> [ 31.304177] handle_overflow+0x171/0x1b0
> [ 31.304186] scrollfront+0xcb/0xd0
> [ 31.304196] tioclinux+0x3cc/0x450
> [ 31.304205] tty_ioctl+0x7fc/0xc00

The rest of the stack trace can be trimmed:

> [ 31.304212] ? __pfx_tty_ioctl+0x10/0x10
> [ 31.304219] __se_sys_ioctl+0xe0/0x140
> [ 31.304228] do_syscall_64+0xd7/0x1b0
> [ 31.304236] ? arch_exit_to_user_mode_prepare+0x11/0x60
> [ 31.304244] entry_SYSCALL_64_after_hwframe+0x6f/0x77
> [ 31.304254] RIP: 0033:0x7fc3902ae539
> [ 31.304263] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 8
> [ 31.304282] RSP: 002b:00007ffc8a457998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> [ 31.304289] RAX: ffffffffffffffda RBX: 00007fc3903e2f80 RCX: 00007fc3902ae539
> [ 31.304293] RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000003
> [ 31.304297] RBP: 00007fc39030d496 R08: 0000000000000000 R09: 0000000000000000
> [ 31.304300] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> [ 31.304304] R13: 0000000000000800 R14: 00007fc3903e2f80 R15: 00007fc3903e2f80
> [ 31.304310] </TASK>
> [ 31.304371] ---[ end trace ]---
>
> This is caused by the scrollback_delta overflowing. Historically, the
> signed integer overflow sanitizer did not work in the kernel due to its
> interaction with `-fwrapv` but this has since been changed [1] in the
> newest version of Clang; It being re-enabled in the kernel with Commit
> 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer").
>
> Note that it would be difficult to reproduce this bug in a non-fuzzing
> scenario as it requires inputting tons of scroll inputs via keyboard
> before the scheduled console callback has had a chance to update.
> Nonetheless, let's saturate scrollback_delta so it stays clamped to
> integer bounds without wrapping around.

And what is actually broken, given signed overflow is well defined under
the -fwrapv wings?

> [1]: https://github.com/llvm/llvm-project/pull/82432
>
> Closes: https://github.com/KSPP/linux/issues/351
> Signed-off-by: Justin Stitt <[email protected]>
> ---
> Note: I am using Kees' SIO tree as a base:
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v6.8-rc2/signed-overflow-sanitizer
> ---
> drivers/tty/vt/vt.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 9b5b98dfc8b4..b4768336868e 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -308,7 +308,14 @@ static inline void scrolldelta(int lines)
> /* FIXME */
> /* scrolldelta needs some kind of consistency lock, but the BKL was
> and still is not protecting versus the scheduled back end */
> - scrollback_delta += lines;
> +
> + /* saturate scrollback_delta so that it never wraps around */
> + if (lines > 0 && unlikely(INT_MAX - lines < scrollback_delta))
> + scrollback_delta = INT_MAX;
> + else if (lines < 0 && unlikely(INT_MIN - lines > scrollback_delta))
> + scrollback_delta = INT_MIN;
> + else
> + scrollback_delta += lines;

NACK, this is horrid.

Introduce a helper for this in overflow.h if we have none yet.

thanks,
--
js
suse labs


2024-05-09 22:01:41

by Justin Stitt

[permalink] [raw]
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

Hi,

On Wed, May 8, 2024 at 11:31 PM Jiri Slaby <[email protected]> wrote:
>
>
> And what is actually broken, given signed overflow is well defined under
> the -fwrapv wings?
>

well-defined code can still be broken.

We want to better safeguard against accidental overflow as this is the
root cause of many bugs/vulnerabilities. So, in this spirit, we
recently enhanced the signed-integer-overflow sanitizer and its
ability to function with -fwrapv enabled [1]. On the Kernel side of
things, Kees' tree [2] has done a lot of the groundwork to get this
sanitizer enabled and less noisy.

WIth all that being said, my solution to this problem in this
particular instance is not the most elegant, as you rightly pointed
out.


> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 9b5b98dfc8b4..b4768336868e 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -308,7 +308,14 @@ static inline void scrolldelta(int lines)
> > /* FIXME */
> > /* scrolldelta needs some kind of consistency lock, but the BKL was
> > and still is not protecting versus the scheduled back end */
> > - scrollback_delta += lines;
> > +
> > + /* saturate scrollback_delta so that it never wraps around */
> > + if (lines > 0 && unlikely(INT_MAX - lines < scrollback_delta))
> > + scrollback_delta = INT_MAX;
> > + else if (lines < 0 && unlikely(INT_MIN - lines > scrollback_delta))
> > + scrollback_delta = INT_MIN;
> > + else
> > + scrollback_delta += lines;
>
> NACK, this is horrid.

Agreed.

Does an implementation like this look any better?

static inline void scrolldelta(int lines)
{
...
/* saturate scrollback_delta so that it never wraps around */
if (lines > 0)
scrollback_delta = min(scrollback_delta, INT_MAX -
lines) + lines;
else
scrollback_delta = max(scrollback_delta, INT_MIN -
lines) + lines;
schedule_console_callback();
}

Accounting for the possibility of both underflow and overflow is what
is making this code a bit bloated but if this new approach looks good
enough I can send a v2.

>
> Introduce a helper for this in overflow.h if we have none yet.

We have these but for unsigned (size_t) types. I'm open to adding
signed_saturating_add(addend1, addend2, ceiling, floor) or something
similar.

>
> thanks,
> --
> js
> suse labs
>

[1]: https://github.com/llvm/llvm-project/pull/82432
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v6.8-rc2/signed-overflow-sanitizer

Thanks
Justin

2024-05-09 22:04:30

by Justin Stitt

[permalink] [raw]
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

On Thu, May 9, 2024 at 3:01 PM Justin Stitt <[email protected]> wrote:
>
>
> Agreed.
>
> Does an implementation like this look any better?
>
> static inline void scrolldelta(int lines)
> {
> ...
> /* saturate scrollback_delta so that it never wraps around */
> if (lines > 0)
> scrollback_delta = min(scrollback_delta, INT_MAX -
> lines) + lines;
> else
> scrollback_delta = max(scrollback_delta, INT_MIN -
> lines) + lines;
> schedule_console_callback();
> }

I apologize for this formatting, gmail ate my tabs.

Note to self, do NOT copy/paste from vim to gmail's web client.

> Thanks
> Justin

2024-05-10 10:41:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

On Mon, May 06, 2024 at 06:55:19PM +0000, Justin Stitt wrote:
> Using the signed overflow sanitizer with syzkaller produces this UBSAN
> report:

<snip>

I think you might want to hold off on these until the discussion on the
hardening list about overflows all settles down to a solid resolution.
Right now these all seem to be a mess and perhaps you will have a better
set of primitives to work with once that thread is finished.

thanks,

greg k-h

2024-05-10 16:13:57

by Justin Stitt

[permalink] [raw]
Subject: Re: [PATCH] tty: vt: saturate scrollback_delta to avoid overflow

On Fri, May 10, 2024 at 3:40 AM Greg Kroah-Hartman
<[email protected]> wrote:
>
> On Mon, May 06, 2024 at 06:55:19PM +0000, Justin Stitt wrote:
> > Using the signed overflow sanitizer with syzkaller produces this UBSAN
> > report:
>
> <snip>
>
> I think you might want to hold off on these until the discussion on the
> hardening list about overflows all settles down to a solid resolution.
> Right now these all seem to be a mess and perhaps you will have a better
> set of primitives to work with once that thread is finished.

Agreed.

I came to the same conclusion once I reached fs/*.

Let's see how folks want to go forward with handling wraparound :thumbs_up:

>
> thanks,
>
> greg k-h

Thanks
Justin