Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751217AbdIFEcP (ORCPT ); Wed, 6 Sep 2017 00:32:15 -0400 Received: from outprodmail01.cc.columbia.edu ([128.59.72.39]:53393 "EHLO outprodmail01.cc.columbia.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750716AbdIFEcO (ORCPT ); Wed, 6 Sep 2017 00:32:14 -0400 X-Google-Smtp-Source: ADKCNb4rhaWCfHb1aBCgSZbEej3s9UtXRv629i7F1EGiiD7rkHXI+g9BOL1B3flH+d0i3kX33o9wf5zzLsU1iwPRs/c= MIME-Version: 1.0 From: Shankara Pailoor Date: Wed, 6 Sep 2017 00:32:11 -0400 Message-ID: Subject: UBSAN: Undefined error in time.h signed integer overflow To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-No-Spam-Score: Local Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2829 Lines: 74 Hi, I encountered this bug while fuzzing linux kernel 4.13-rc7 with syzkaller. ================================================================================ UBSAN: Undefined behaviour in ./include/linux/time.h:233:27 signed integer overflow: 8391720337152500783 * 1000000000 cannot be represented in type 'long int' CPU: 0 PID: 31798 Comm: syz-executor2 Not tainted 4.13.0-rc7 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xf7/0x1ae lib/dump_stack.c:52 ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 handle_overflow+0x21e/0x292 lib/ubsan.c:195 __ubsan_handle_mul_overflow+0x2a/0x3e lib/ubsan.c:219 timespec_to_ns include/linux/time.h:233 [inline] posix_cpu_timer_set+0xb5c/0xf20 kernel/time/posix-cpu-timers.c:686 do_timer_settime+0x1f4/0x390 kernel/time/posix-timers.c:890 SYSC_timer_settime kernel/time/posix-timers.c:916 [inline] SyS_timer_settime+0xea/0x170 kernel/time/posix-timers.c:902 entry_SYSCALL_64_fastpath+0x18/0xad RIP: 0033:0x451e59 RSP: 002b:00007fb62af4fc08 EFLAGS: 00000216 ORIG_RAX: 00000000000000df RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 RDX: 0000000020006000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020003fe0 R11: 0000000000000216 R12: 00000000004be920 R13: 00000000ffffffff R14: ffffffffffffffff R15: 0000000000000000 ================================================================================ Here is the full reproducer program: https://pastebin.com/xucAtmbD Below is the core of the reproducer: long r[16]; void *thr(void *arg) { switch ((long)arg) { case 0: r[0] = syscall(__NR_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: NONFAILING(*(uint64_t*)0x20001fb0 = (uint64_t)0x0); NONFAILING(*(uint32_t*)0x20001fb8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20001fbc = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20001fc0 = (uint64_t)0x20007fcd); NONFAILING(*(uint64_t*)0x20001fc8 = (uint64_t)0x20005000); r[6] = syscall(__NR_timer_create, 0x3ul, 0x20001fb0ul, 0x20000000ul); break; case 2: r[7] = syscall(__NR_clock_gettime, 0x0ul, 0x20004000ul); if (r[7] != -1) NONFAILING(r[8] = *(uint64_t*)0x20004008); break; case 3: NONFAILING(*(uint64_t*)0x20006000 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20006008 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20006010 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20006018 = r[8]+10000000); r[13] = syscall(__NR_timer_settime, 0x0ul, 0x0ul, 0x20006000ul, 0x20003fe0ul); break; case 4: NONFAILING(memcpy((void*)0x20006000, "\x2f\x64\x65\x76\x2f\x61\x75\x74\x6f\x66\x73\x00", 12)); r[15] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20006000ul, 0x8000ul, 0x0ul); break; } return 0; }