Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp62082imu; Mon, 19 Nov 2018 17:46:27 -0800 (PST) X-Google-Smtp-Source: AJdET5d7815UnENdyYlYbUhW3sDM004zzmhaaGa6PkgBhbXZTWPWpItACbirEe70MQOFGMHpu4l/ X-Received: by 2002:a62:ca9c:: with SMTP id y28mr104263pfk.236.1542678387061; Mon, 19 Nov 2018 17:46:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542678387; cv=none; d=google.com; s=arc-20160816; b=W+O/X2hKqe6ODmTOTTdMo97Rzjy6ZTOMror28IybP+hQe9Q4q73NQUVoPZi9ZDQeRi nvrQIEHL+T2eUuajrimLPPiGmP7qrmi/hUpK3C1Mk1XeqJiJhwogiyovUboG7r5JPxiU RnvhdOsHhYkXD586d6IqnVH1qEYPJykRogTHKlV5xSKM4HBsdccjrfS38zWogqkbNco0 KCY3nSLCl9gwLVaCLR82ctJnofEupV3qVuBZibHKvV4aEo1YzLHdZkQgmX4TwgpK34Il +b+xrNLLIlzFPiOOf8arwOxpE5/w7EH3xBQzjwB3i6WBXDcgKYJA2chqctLuUBUNqUXN gnEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=cqLDgRlRCPlCGZpACpSSchlRxpgkCDGdQZ8y2fx9O3I=; b=JaWk+GteAcs2EOdzXBMQ99bNp/L1xDRV7GV+TUvrhD4ryuOb/g0syfZsfYoZzfTmYy axwcPDde5v4lopSc5tHVZt3x5C7dlWC4cvnw0f7zOYPyq+gQiNVvcQ4IPYgpfpXzGgam IMjsYSA6S8wWd81tklHABZiUKESfhMRuPYurDCH48ao5RjW5k4Ln4SxKPskvYlmW34/m 7aN3Vopn/stxGtvFrxjDvN2ZuQZOntEwQfzo/FfWCk0YNHfesc0vFO3DnIzpKprFkzGH eftSfOMdnVqHLv8+oX1EIsOUzdZQ5UxQNVF2mnj5kPb2DCPSnkia1UGtjboJTBq1DQ2N 1+Yw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h188si16973831pfg.44.2018.11.19.17.46.10; Mon, 19 Nov 2018 17:46:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732587AbeKTMLv convert rfc822-to-8bit (ORCPT + 99 others); Tue, 20 Nov 2018 07:11:51 -0500 Received: from szxga02-in.huawei.com ([45.249.212.188]:6476 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726119AbeKTMLv (ORCPT ); Tue, 20 Nov 2018 07:11:51 -0500 Received: from DGGEMM406-HUB.china.huawei.com (unknown [172.30.72.55]) by Forcepoint Email with ESMTP id CF78685E2ABC6; Tue, 20 Nov 2018 09:45:10 +0800 (CST) Received: from DGGEMM528-MBX.china.huawei.com ([169.254.8.210]) by DGGEMM406-HUB.china.huawei.com ([10.3.20.214]) with mapi id 14.03.0415.000; Tue, 20 Nov 2018 09:45:11 +0800 From: "liujian (CE)" To: Dmitry Torokhov CC: "linux-input@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] driver: input: fix UBSAN warning in input_defuzz_abs_event Thread-Topic: [PATCH] driver: input: fix UBSAN warning in input_defuzz_abs_event Thread-Index: AQHUcl6QOAr1kFrZeEqKa/vqHakFIqVMFqGAgAsgHHA= Date: Tue, 20 Nov 2018 01:45:10 +0000 Message-ID: <4F88C5DDA1E80143B232E89585ACE27D024F8FC9@DGGEMM528-MBX.china.huawei.com> References: <1541166531-248528-1-git-send-email-liujian56@huawei.com> <20181112194853.GH192687@dtor-ws> In-Reply-To: <20181112194853.GH192687@dtor-ws> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.177.97.126] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Best Regards, liujian > -----Original Message----- > From: Dmitry Torokhov [mailto:dmitry.torokhov@gmail.com] > Sent: Tuesday, November 13, 2018 3:49 AM > To: liujian (CE) > Cc: linux-input@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: [PATCH] driver: input: fix UBSAN warning in > input_defuzz_abs_event > > Hi, > > On Fri, Nov 02, 2018 at 09:48:51PM +0800, liujian wrote: > > syzkaller triggered a UBCAN warning: > > > > [ 196.188950] UBSAN: Undefined behaviour in > > drivers/input/input.c:62:23 [ 196.188958] signed integer overflow: > > [ 196.188964] -2147483647 - 104 cannot be represented in type 'int [2]' > > [ 196.188973] CPU: 7 PID: 4763 Comm: syz-executor Not tainted > > 4.19.0-514.55.6.9.x86_64+ #7 [ 196.188977] Hardware name: Bochs > > Bochs, BIOS Bochs 01/01/2011 [ 196.188979] Call Trace: > > [ 196.189001] dump_stack+0x91/0xeb > > [ 196.189014] ubsan_epilogue+0x9/0x7c [ 196.189020] > > handle_overflow+0x1d7/0x22c [ 196.189028] ? > > __ubsan_handle_negate_overflow+0x18f/0x18f > > [ 196.189038] ? __mutex_lock+0x213/0x13f0 [ 196.189053] ? > > drop_futex_key_refs+0xa0/0xa0 [ 196.189070] ? > > __might_fault+0xef/0x1b0 [ 196.189096] > > input_handle_event+0xe1b/0x1290 [ 196.189108] > > input_inject_event+0x1d7/0x27e [ 196.189119] > evdev_write+0x2cf/0x3f0 > > [ 196.189129] ? evdev_pass_values+0xd40/0xd40 [ 196.189157] ? > > mark_held_locks+0x160/0x160 [ 196.189171] ? > __vfs_write+0xe0/0x6c0 [ > > 196.189175] ? evdev_pass_values+0xd40/0xd40 [ 196.189179] > > __vfs_write+0xe0/0x6c0 [ 196.189186] ? kernel_read+0x130/0x130 [ > > 196.189204] ? _cond_resched+0x15/0x30 [ 196.189214] ? > > __inode_security_revalidate+0xb8/0xe0 > > [ 196.189222] ? selinux_file_permission+0x354/0x430 > > [ 196.189233] vfs_write+0x160/0x440 > > [ 196.189242] ksys_write+0xc1/0x190 > > [ 196.189248] ? __ia32_sys_read+0xb0/0xb0 [ 196.189259] ? > > trace_hardirqs_on_thunk+0x1a/0x1c [ 196.189267] ? > > do_syscall_64+0x22/0x4a0 [ 196.189276] do_syscall_64+0xa5/0x4a0 [ > > 196.189287] entry_SYSCALL_64_after_hwframe+0x49/0xbe > > [ 196.189293] RIP: 0033:0x44e7c9 > > [ 196.189299] Code: fc ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f > > 00 > > > > the syzkaller reproduce script(but can't reproduce it every time): > > > > r0 = syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', > > 0x2, > > 0x1) > > write$binfmt_elf64(r0, &(0x7f0000000240)={{0x7f, 0x45, 0x4c, 0x46, > > 0x40, 0x2, 0x2, 0xffffffff, 0xffffffffffff374c, 0x3, 0x0, 0x80000001, > > 0x103, 0x40, 0x22e, 0x26, 0x1, 0x38, 0x2, 0xa23, 0x1, 0x2}, > > [{0x6474e557, 0x5, 0x6, 0x2, 0x9, 0x9, 0x6c3, 0x1ff}], "", [[], [], > > [], []]}, 0x478) ioctl$EVIOCGSW(0xffffffffffffffff, 0x8040451b, > > &(0x7f0000000040)=""/7) > > syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x2, > > 0x1) > > r1 = syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', > > 0x2, > > 0x1) > > openat$smack_task_current(0xffffffffffffff9c, > > &(0x7f0000000040)='/proc/self/attr/current\x00', 0x2, 0x0) > > ioctl$EVIOCSABS0(r1, 0x401845c0, &(0x7f0000000000)={0x4, 0x10000, > 0x4, > > 0xd1, 0x81, 0x3}) > > eventfd(0x1ff) > > syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x2, > > 0x200) > > syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x2, > > 0x1) syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', > > 0x2, 0x1) > > syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x2, > > 0x1) syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', > > 0x2, 0x1) > > > > Typecast int to long to fix the issue. > > Does this fix 32-bit platforms where long equals int? BTW, I'd prefer if we did > not have to do 64 bit arithmetic on 32 bit arches here, if possible. Hi Dmitry, Thanks for your review, we can typecast it to long long? but if do not 64 bit arithmetic on 32-bit platforms, how about this? We can not care about the overflow of addition/subtraction, but we should care about the return value.? diff --git a/drivers/input/input.c b/drivers/input/input.c index 3304aaa..954244f 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -59,14 +59,17 @@ static inline int is_event_supported(unsigned int code, static int input_defuzz_abs_event(int value, int old_val, int fuzz) { if (fuzz) { - if (value > old_val - fuzz / 2 && value < old_val + fuzz / 2) + if (value > (long)((unsigned long)old_val - (unsigned long)fuzz / 2) && + value < (long)((unsigned long)old_val + (unsigned long)fuzz / 2)) return old_val; - if (value > old_val - fuzz && value < old_val + fuzz) - return (old_val * 3 + value) / 4; + if (value > (long)((unsigned long)old_val - (unsigned long)fuzz) && + value < (long)((unsigned long)old_val + (unsigned long)fuzz)) + return ((long long)old_val * 3 + value) / 4; - if (value > old_val - fuzz * 2 && value < old_val + fuzz * 2) - return (old_val + value) / 2; + if (value > (long)((unsigned long)old_val - (unsigned long)fuzz * 2) && + value < (long)((unsigned long)old_val + (unsigned long)fuzz * 2)) + return ((long long)old_val + value) / 2; } return value; > Thanks. > > -- > Dmitry