Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3401355ybb; Sun, 22 Mar 2020 23:48:03 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtOuBgS4lb70oWG7Prqt0fDJRxr03fqnpz0WYc8GxrvJjRQA7oU3zKdUPwb2Oese7H1rTrX X-Received: by 2002:aca:4bc5:: with SMTP id y188mr16324123oia.9.1584946083807; Sun, 22 Mar 2020 23:48:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584946083; cv=none; d=google.com; s=arc-20160816; b=ik6NrK/+Tbg5DlOgTOjn3zzS9QQt9Om66QO9gO34MhdMNJpyJklb1cvhmmQlJo1bkh 3Ui5faqmG/cfQyilXvOAE+wsvfO7TPPheu5BORGQrvoi+I2cX9+sCHCtZE7rgSmz2/BW bXrPiN7tWEXPAFrggilVDJSWuN3E02RXKrsckmEDV6H1GAB7AmHEuls/W0qp7xc2Dk+O y3i7Fi11eUPN6gdAoyDphROpY+BOs8k62jGBF3RTCKrA19gh26zhHiB56iM55Y6Ev8SZ FqY2nq8AdPXUnWOx1hSMv6hFvYcw42pheQkE+ta6kKvcP/Gz8SWk6ApCdQGD7PTzcV9L Yqzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=5kVoegB/ftsHDnjAFVrdYIDF2yOb94cIbgp4BzTkMa8=; b=d+oPlV4Y7gRNL8Ixz+iUPz/bAx0tPbN4l1eiEhrMemso3czK6be4YRKbg/CcAJ3YYy wYDKGjvVqQMb30K2lX/cwbdbYOPXFH7WrSzAOnTfQXngy+0HFdlx1i7hNMS5KDl/wmLc JuXk455Ambu+l6oOMthZgMFaaQZw3R5LzLKmmGX7U2kDiyWas31CwSxzy5C7+bcaBo8q AdSyy5KIWLQpP0n90GBC23iGFAADEwRtEkZadbEWfDR+ZPtGq+zLvlG5HYxA9Cizi7Jh 9HMXBABmR8A6KTmkXCRLT7E9lOF8mwp+f4zJdqOZZH4i19xuuhXooL4uhwxH1Y//1BPn lUBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sg8XDyy4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v20si890340ote.176.2020.03.22.23.47.48; Sun, 22 Mar 2020 23:48:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sg8XDyy4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727326AbgCWGqT (ORCPT + 99 others); Mon, 23 Mar 2020 02:46:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:48724 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727164AbgCWGqS (ORCPT ); Mon, 23 Mar 2020 02:46:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CD349206C3; Mon, 23 Mar 2020 06:46:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584945978; bh=QVu8pshIueptnWq5DfqM6RzxSosOhQobX0EIxgS3+tQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Sg8XDyy4bcIQo1pyPyqPapbTCtdpkBGhe24qXskcUHOQyR0SSLHYFii9c7vHA42wD 4gH/ZOtKuB+tlLvlim6F/ixD6DJcDlaP/XOywmFN7/l+bMl5hcrAkeWI8Ng1Ej+HIS kyiKn/0xeufQekgSdb0CRfGToPH8fiCfVl9iU3sk= Date: Mon, 23 Mar 2020 07:46:16 +0100 From: Greg KH To: Kyungtae Kim Cc: jslaby@suse.com, slyfox@gentoo.org, Dmitry Torokhov , rei4dan@gmail.com, Dave Tian , LKML Subject: Re: UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c Message-ID: <20200323064616.GB129571@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 22, 2020 at 11:34:01PM -0400, Kyungtae Kim wrote: > We report a bug (in linux-5.5.11) found by FuzzUSB (modified version > of syzkaller) > > Seems the variable "npadch" has a very large value (i.e., 333333333) > as a result of multiple executions of the function "k_ascii" (keyboard.c:888) > while the variable "base" has 10. > So their multiplication at line 888 in "k_ascii" will become > larger than the max of type int, causing such an integer overflow. > > I believe this can be solved by checking for overflow ahead of operations > e.g., using check_mul_overflow(). > > kernel config: https://kt0755.github.io/etc/config_v5.5.11 Great, can you send a patch for this? thanks, greg k-h