Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1946310yba;
        Thu, 4 Apr 2019 23:49:03 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx4uOb9Yc5kMH33bFjeDsyhuaLKvA5A3wEc6eglYt0q2UJLGKxYkAiFsEMr+Nfzms0gilUA
X-Received: by 2002:a17:902:be04:: with SMTP id r4mr11291380pls.218.1554446943388;
        Thu, 04 Apr 2019 23:49:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554446943; cv=none;
        d=google.com; s=arc-20160816;
        b=yPyzsp2YpbRciVZzvFAJfX5TgAamuMVwXR4RPI3KoA9j4b8Ogffw94ZVgHIbk9ShST
         In/+56C6sG1maYEMQv+mHgG5S4YAxdnxMnY+dzEP74CySaHf0TMuhiTkXvOb87JheUWX
         D2oC5v4ZQjLQN5rllNX+hORjRVAIRakbqL7qIIbQh5j4ai3qxO4f3gQovUZmY+DmV+3u
         MKSlHu6J0A4HpHaY3OgLPY7tUJK0N/8bhwh4KGfMrZl1zlCIOFGHCn/Q61qRmXeDygH5
         CNmZfzYH9qlCIBsNQL+4Xx2hf6Eicgs+csyENOKag8n+aavL4NqQJ+CRiwwmQEYWk0lr
         92YA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=X6SopOxOn8oRkvkf4KfyUudvDlX+XvN/CpXWUhDKgPk=;
        b=VnNktH2X1Nmkz4SEx6ZLvZO6NPQnq79s+bOd9LFVSaED+JA8lHOSaCmjflpyGeqrNR
         E0gGjB1rhIw/OHMfBPQy+HfgeyLlXU+wQimzSmEr+3NRQCnxtP16Sirlp5zKEHywydHm
         gVjY+lKWqgFSkDkZzCDmCo/CQYa82Q0FueFRKCIw6LU+jQdt4y/8+nc8DyvN7zmcE8ms
         wSwkpAeG+IaWjWFZ8l0cjMP4y213qvBN7bqoQg4ktGyu1Ujfz9BDdAnLBMHORdGFJmyv
         F+yVKLqJzDCygXoyeSettF0DWbmi81wlFRe11kus/2ayy353FDy9XiwXi1XSk21LyfK4
         0JOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w126si19328696pfb.196.2019.04.04.23.48.48;
        Thu, 04 Apr 2019 23:49:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729865AbfDEGsD (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Fri, 5 Apr 2019 02:48:03 -0400
Received: from szxga05-in.huawei.com ([45.249.212.191]:6255 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726389AbfDEGsD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Apr 2019 02:48:03 -0400
Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id 81B73BF26C006EEB0309;
        Fri,  5 Apr 2019 14:47:56 +0800 (CST)
Received: from huawei.com (10.90.53.225) by DGGEMS407-HUB.china.huawei.com
 (10.3.19.207) with Microsoft SMTP Server id 14.3.408.0; Fri, 5 Apr 2019
 14:47:52 +0800
From:   Hou Tao <houtao1@huawei.com>
To:     <mcgrof@kernel.org>, <keescook@chromium.org>
CC:     <linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>
Subject: [PATCH] sysctl: redefine zero as a unsigned long
Date:   Fri, 5 Apr 2019 14:52:17 +0800
Message-ID: <20190405065217.125140-1-houtao1@huawei.com>
X-Mailer: git-send-email 2.16.2.dirty
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.90.53.225]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We have got KASAN splat when tried to set /proc/sys/fs/file-max:

  BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x3e4/0x8f0
  Read of size 8 at addr ffff20000f9b2980 by task file-max.sh/36819

  Call trace:
   dump_backtrace+0x0/0x3f8
   show_stack+0x3c/0x60
   dump_stack+0x150/0x1a8
   print_address_description+0x2b8/0x5a0
   kasan_report+0x278/0x648
   __asan_load8+0x124/0x170
   __do_proc_doulongvec_minmax+0x3e4/0x8f0
   proc_doulongvec_minmax+0x80/0xa0
   proc_sys_call_handler+0x188/0x2a0
   proc_sys_write+0x5c/0x80
   __vfs_write+0x118/0x578
   vfs_write+0x184/0x418
   ksys_write+0xfc/0x1e8
   __arm64_sys_write+0x88/0xa8
   el0_svc_common+0x1a4/0x500
   el0_svc_handler+0xb8/0x180
   el0_svc+0x8/0xc

  The buggy address belongs to the variable:
   zero+0x0/0x40

The cause is that proc_doulongvec_minmax() is trying to cast an int
pointer (namely &zero) to a unsigned long pointer, and dereferencing it.

Although the warning seems does no harm, because zero will be placed
in a .bss section, but it's better to kill the KASAN warning by
redefining zero as a unsigned long, so it's OK whenever it is accessed
as an int or a a unsigned long.

An alternative fix seems to be set the minimal value of file-max to be 1,
so one_ul can be used instead, but I'm not sure whether or not a file-max
with a value of zero has special purpose (e.g., prohibit the file-related
activities of all no-privileged users).

Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 kernel/sysctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e5da394d1ca3..03846e015013 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -124,7 +124,7 @@ static int sixty = 60;
 
 static int __maybe_unused neg_one = -1;
 
-static int zero;
+static unsigned long zero;
 static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
-- 
2.16.2.dirty