Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932545AbdLGNUU (ORCPT ); Thu, 7 Dec 2017 08:20:20 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:57995 "EHLO huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S932503AbdLGNUR (ORCPT ); Thu, 7 Dec 2017 08:20:17 -0500 To: Al Viro , , "linux-kernel@vger.kernel.org" , LinuxArm From: Ding Tianhong Subject: [PATCH] fs: Fix signed integer overflow for vfs_setpos Message-ID: Date: Thu, 7 Dec 2017 21:19:10 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.23.32] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2223 Lines: 53 The undefined behaviour sanatizer detected an signed integer overflow like this: r0 = memfd_create(&(0x7f0000002000-0x12)="2e726571756573745f6b65795f6175746800",0x0) lseek(r0, 0x4040000000000000, 0x1) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f000000b000-0xd)={@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x9, 0x1, 0xff, 0x2, 0x6, 0x1,0xd27}, 0x20) mmap(&(0x7f000000e000/0x1000)=nil, 0x1000, 0x3, 0x32,0xffffffffffffffff, 0x0) ioctl$sock_SIOCGSKNS(r0, 0x894c, &(0x7f000000f000-0x4)=0x10000) --------------------------------------------------------------------------------- UBSAN: Undefined behaviour in fs/read_write.c:107:12 signed integer overflow: 4629700416936869888 + 4629700416936869888 cannot be represented in type 'long long int' CPU: 0 PID: 11653 Comm: syz-executor0 Not tainted 4.x.xx+ #2 Hardware name: linux,dummy-virt (DT) Call trace: [] dump_backtrace+0x0/0x2a0 [] show_stack+0x20/0x30 [] dump_stack+0x11c/0x16c [] ubsan_epilogue+0x18/0x70 [] handle_overflow+0x14c/0x188 [] __ubsan_handle_add_overflow+0x34/0x44 [] generic_file_llseek_size+0x1f8/0x2a0 [] shmem_file_llseek+0x7c/0x1f8 [] SyS_lseek+0xc0/0x118 -------------------------------------------------------------------------------- The problem happened because the calculation of signed integer resulted an overflow for the signed integer, so use the unsigned integer to avoid undefined behaviour when it does overflow. Signed-off-by: Ding Tianhong --- fs/read_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/read_write.c b/fs/read_write.c index f8547b8..2c377fc 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -105,7 +105,7 @@ loff_t vfs_setpos(struct file *file, loff_t offset, loff_t maxsize) * like SEEK_SET. */ spin_lock(&file->f_lock); - offset = vfs_setpos(file, file->f_pos + offset, maxsize); + offset = vfs_setpos(file, (u64)file->f_pos + offset, maxsize); spin_unlock(&file->f_lock); return offset; case SEEK_DATA: -- 1.8.3.1