2024-05-06 23:16:26

by Justin Stitt

[permalink] [raw]
Subject: Re: [PATCH] block/ioctl: use overflow helper for blkpg_partition fields

On Mon, May 6, 2024 at 4:10 PM Justin Stitt <[email protected]> wrote:
>
> Running syzkaller with the newly reintroduced signed integer overflow
> sanitizer shows this report:
>
> [ 62.982337] ------------[ cut here ]------------
> [ 62.985692] cgroup: Invalid name
> [ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46
> [ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1
> [ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'
> [ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1
> [ 62.999369] random: crng reseeded on system resumption
> [ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)
> [ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
> [ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 63.000682] Call Trace:
> [ 63.000686] <TASK>
> [ 63.000731] dump_stack_lvl+0x93/0xd0
> [ 63.000919] __get_user_pages+0x903/0xd30
> [ 63.001030] __gup_longterm_locked+0x153e/0x1ba0
> [ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50
> [ 63.001072] ? try_get_folio+0x29c/0x2d0
> [ 63.001083] internal_get_user_pages_fast+0x1119/0x1530
> [ 63.001109] iov_iter_extract_pages+0x23b/0x580
> [ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220
> [ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410
> [ 63.001297] __iomap_dio_rw+0xab4/0x1810
> [ 63.001316] iomap_dio_rw+0x45/0xa0
> [ 63.001328] ext4_file_write_iter+0xdde/0x1390
> [ 63.001372] vfs_write+0x599/0xbd0
> [ 63.001394] ksys_write+0xc8/0x190
> [ 63.001403] do_syscall_64+0xd4/0x1b0
> [ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60
> [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77
> [ 63.001535] RIP: 0033:0x7f7fd3ebf539
> [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539
> [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004
> [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000
> [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8
> ...
> [ 63.018142] ---[ end trace ]---
>

Please note that I had to reconstruct this entire UBSAN report with
some fancy regex as the actual report on my box had some IO flushing
issues when running syzkaller with multiple threads. Due to this, this
report may look weird but I tried my best to put things in
chronological order.