2024-04-30 01:35:19

by Sam Sun

[permalink] [raw]
Subject: [Linux kernel bug] UBSAN: shift-out-of-bounds in idr_get_free

Dear developers and maintainers,

We found a shift-out-of-bounds bug in lib/radix-tree.c. It is tested
against upstream linux (tag 6.9-rc5). C repro and kernel config are
attached to this email. UBSAN report is listed below.
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in lib/radix-tree.c:88:31
shift exponent 72 is too large for 64-bit type 'unsigned long'
CPU: 1 PID: 950 Comm: kworker/u10:3 Not tainted 6.9.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
radix_tree_descend lib/radix-tree.c:88 [inline]
idr_get_free+0x6a5/0xae0 lib/radix-tree.c:1518
idr_alloc_u32 lib/idr.c:46 [inline]
idr_alloc_cyclic+0x1d0/0x5b0 lib/idr.c:125
alloc_pid+0x33c/0xcc0 kernel/pid.c:240
copy_process+0x1c9a/0x3d70 kernel/fork.c:2406
kernel_clone+0x228/0x6b0 kernel/fork.c:2797
user_mode_thread+0x131/0x190 kernel/fork.c:2875
call_usermodehelper_exec_work+0x5b/0x220 kernel/umh.c:172
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3335
worker_thread+0x85c/0xd50 kernel/workqueue.c:3416
kthread+0x2ed/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
</TASK>
---[ end trace ]---

If you have any questions, please contact us.

Reported by Yue Sun <[email protected]>
Reported by xingwei lee <[email protected]>

Best Regards,
Yue


Attachments:
config (242.08 kB)
idr_get_free.c (37.55 kB)
Download all attachments