Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp284326ybi; Thu, 11 Jul 2019 19:23:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqw0nmTTI5qCnrADL8SupknUm4kQsfAF1Yk4FIIY/rgSIbBKAIe/OqZ+syFHw2uQtX524IV+ X-Received: by 2002:a63:6056:: with SMTP id u83mr4933638pgb.181.1562898224520; Thu, 11 Jul 2019 19:23:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562898224; cv=none; d=google.com; s=arc-20160816; b=DgyZQ0qtM2sMS6ytQq4X7/U5h0Gh1cLWxZr1K8jALVoRmVjq1FRtlGtezGMKh4vUPT 1OvhItreEhulPealDYXjxZ935ipJ9qFlJNRPfzleOEea9ttfTATiIcysyYxhwbEZsQ+2 12jXZRMkPwj39fwacqPzmZLR8/Pc3cBiueFJv205mKvNgkGUcoUCjsdNqaQ5ZRmOzgsA qdnerEgx8pceY4slnXg/1azWBDv9mIC6kjuYdq9yNNFzVUwL4V/rjUcrnpyDjS0ljyTW KSUUMfreCdwSynlzue6xTu8AiIocBDAEiP2ZnPtpw6mup6H9LXSeHRjdstjmU0jtug5j N2og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:to :from; bh=A2xAAEn2gOJiQpdnZU6mJD7taKq6+XjBjrBC0crHT6c=; b=QzovwgXyVtme9DqlvWuLOV5ycUKZeHgsohMYsffhHc+t9naqXZMxv5LAcIZEuwe0cV jXS9J9NDcB5eqFhe3kR1ceBs654MbOA1n21VU1qawjcVeAVzqZJSX7mKqxV3qjAJ8mA3 xQb17nzl9XWlyWDaYXidjiERTcuuCV8Hy30RDb711qFyfM/mOPdJZMIJLT+K+opIxK2S GZ2tHLVA3WWKbBq91JkGjnJ+/mHINKDhqrQ26NR5zQbGaz/rRPA7nmvuZ/DZk9GF2wjh y5FstVaAXrjbpKnqdpkEzz28AXD1jrn4VWnJy/n1BPyd+DF7jK9lZgM5rwyDctwomhe0 /LhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x7si6947510pfi.257.2019.07.11.19.23.29; Thu, 11 Jul 2019 19:23:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728964AbfGLCXH (ORCPT + 99 others); Thu, 11 Jul 2019 22:23:07 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:35646 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728485AbfGLCXH (ORCPT ); Thu, 11 Jul 2019 22:23:07 -0400 Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id B564030897464F660B2C; Fri, 12 Jul 2019 10:23:02 +0800 (CST) Received: from RH5885H-V3.huawei.com (10.90.53.225) by DGGEMS407-HUB.china.huawei.com (10.3.19.207) with Microsoft SMTP Server id 14.3.439.0; Fri, 12 Jul 2019 10:22:54 +0800 From: SunKe To: , , , Subject: [PATCH] fs/sync.c: Fix UBSAN Undefined behaviour in sync_file_range Date: Fri, 12 Jul 2019 10:28:37 +0800 Message-ID: <1562898517-143943-1-git-send-email-sunke32@huawei.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a UBSAN report: UBSAN: Undefined behaviour in ../fs/sync.c:298:10 signed integer overflow: -8 + -9223372036854775807 cannot be represented in type 'long long int' CPU: 0 PID: 15876 Comm: syz-executor.3 Not tainted Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: [] dump_backtrace+0x0/0x698 arch/arm64/kernel/traps.c:96 [] show_stack+0x38/0x60 arch/arm64/kernel/traps.c:234 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x1a8/0x230 lib/dump_stack.c:51 [] ubsan_epilogue+0x34/0x9c lib/ubsan.c:164 [] handle_overflow+0x228/0x280 lib/ubsan.c:195 [] __ubsan_handle_add_overflow+0x4c/0x68 lib/ubsan.c:203 [] SYSC_sync_file_range fs/sync.c:298 [inline] [] SyS_sync_file_range+0x350/0x3e8 fs/sync.c:285 [] el0_svc_naked+0x30/0x34 When calculate the endbyte, there maybe an overflow, even if no effect the kernel, but I also want to avoid overflowing and avoid UBSAN reporting. The original compare is to ensure the offset >= 0 && nbytes >= 0 && no overflow happened. I do the calculate after compare. ensure the offset >= 0 && nbytes >= 0 && no overflow may happen first. Signed-off-by: SunKe --- fs/sync.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/sync.c b/fs/sync.c index 4d1ff01..5827471 100644 --- a/fs/sync.c +++ b/fs/sync.c @@ -246,15 +246,15 @@ int sync_file_range(struct file *file, loff_t offset, loff_t nbytes, if (flags & ~VALID_FLAGS) goto out; - endbyte = offset + nbytes; - if ((s64)offset < 0) goto out; - if ((s64)endbyte < 0) + if ((s64)nbytes < 0) goto out; - if (endbyte < offset) + if (S64_MAX - offset < nbytes) goto out; + endbyte = offset + nbytes; + if (sizeof(pgoff_t) == 4) { if (offset >= (0x100000000ULL << PAGE_SHIFT)) { /* -- 2.7.4