Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4111071ybb; Mon, 23 Mar 2020 13:45:26 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuwiNeVZ8x0aFfQVLxIHJbfCHyhqlgxtJ4JwaEIG+bxdWz6VMNxV5hQb3pWMgDjbd/yx2XU X-Received: by 2002:aca:558c:: with SMTP id j134mr1016508oib.102.1584996326531; Mon, 23 Mar 2020 13:45:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584996326; cv=none; d=google.com; s=arc-20160816; b=mAD7/0/zQ45VwhYcEdPY/elYCJ5wBTgPUS/GEW642711/eip7gNmAA1yrJ9TSQQqs2 b9jphpY1kMRR9i2lmHRmCTKw48kH4lCk1zxo3SrZk7OCRrNN6SO3t0BgoKmnstDJ7Bfk Aua6urqcjz7rM2FmtJhlSQJqDtooWRBEyiTyW6G/fFttwv5rhJ1VMpJyfcyrH6Wy/XNp qh4jPyQZi5tAY+0UqlNr7qExDIStQPNfgvfFomE+4BKFsTkbcPcAfL9cBRbOULGL6h3y 0IR9GrIl+cTYa3kDXj+r7lr2Iou16y3QbHN5hbYU8HolUDz42GU9bg362+6433+qLS1z ZoHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=; b=XMzC/b8jL+qhEw/0mOnsVhOLgU2wVVpgksQPOCjem/p3ZYPV4J5DxERNnLtUwveiAB BNUvR34rzR82LTRBc/Vo0QG9vGlmo836PKs62ZUfbZhvE4U7NG33MnOEiLTn1shNtiko nTwKQMxrJzHGRgOohHh53oNlTyoKoxKrDeNfSyaAT/D5iYAE2slOa+jL0r+MN+ukgPmH lJtCCe/BpmUtfT8K5nZJZgMBY3ZyCL9DKyxcjGiBfw2wMqvc743vmU+59Fkq5ZBRA4la tfNVH15fFwRkK5XBmRgjjPLI2Jynpws0rx1U+JcQIZvgxbLZ0SXLurmIHCP7EdIHiOv2 wAww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="QZD/KgRP"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si3451126oto.34.2020.03.23.13.45.13; Mon, 23 Mar 2020 13:45:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="QZD/KgRP"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726145AbgCWUop (ORCPT + 99 others); Mon, 23 Mar 2020 16:44:45 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:37314 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725844AbgCWUop (ORCPT ); Mon, 23 Mar 2020 16:44:45 -0400 Received: by mail-lf1-f67.google.com with SMTP id j11so11367035lfg.4 for ; Mon, 23 Mar 2020 13:44:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=; b=QZD/KgRPHgcOxtb0qWhUKPvSZHXx/HGVixEwM+IWFrVubL8hnRtHer1OuNpH4SX2hM et/A57hTvPYZavJafDtMEIwBI2RqvlxrTruXy8fqS79oLTB9xNaxZ5+SV7JpbRzuvdCg 1yByR6BBDe43ZDKfbVgD0TZhf3QtjUcKNI1S3uVmbSg5b69Gb1gr0+LDcDcY9e6E6bq9 E3rB6iYP6yTcHa7eDfeld72008bfP8yEOtCRhjLSve4gf/TFGx+Ayi34Vhvj8SUNr3at 7whfcwefkLPfp6Jiyll9s2NGZWA6w5U6NHk3FffeQRbES+Ahf8qiCsMKgE9opWmINOow jGFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=; b=NKsq+4wZ73HrBCshQnayZKUdpqM806aIsFJ0IJysDPiiOTIQnIxTUnKbP299KITdo8 CQG0mbAE08wuhFfhUH4pqu6cH5ihGmGGkeDdUzHxX8MXPgIDAwu9XEeoxLQRcvU/2weK OKKYgk0bmvDPUKMAKkvTsowU0d4wkuqufa1j3gAEbpatP9izB07IE2kT0jiGU/0a4cmU 4Jj6tFTAqOjBdNc67s+mAEOO5VMz/4VWu+8z0VttEcu1yZLojHdmKHjrZ3hjYAZx+PSe oWZ9INvi9+qPkunzRDwpmdVytqXUMcOdE8TOnLMDyDpBk5UVNSIGIy8q5rzE2Hv4rKHw AfaQ== X-Gm-Message-State: ANhLgQ29Tz6NXeZhp4CsMM0JEtHfMYBRHdlJEaQ9PclINQSJtg+0sO9L dExR3chSN1FoO26SoGnP/BoWxKeysPKzdVl/QAephbxo X-Received: by 2002:ac2:548f:: with SMTP id t15mr14146896lfk.115.1584996282705; Mon, 23 Mar 2020 13:44:42 -0700 (PDT) MIME-Version: 1.0 References: <20200323064616.GB129571@kroah.com> In-Reply-To: <20200323064616.GB129571@kroah.com> From: Kyungtae Kim Date: Mon, 23 Mar 2020 16:44:31 -0400 Message-ID: Subject: Re: UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c To: Greg KH Cc: jslaby@suse.com, slyfox@gentoo.org, Dmitry Torokhov , rei4dan@gmail.com, Dave Tian , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 07:46:16AM +0100, Greg KH wrote: > On Sun, Mar 22, 2020 at 11:34:01PM -0400, Kyungtae Kim wrote: > > We report a bug (in linux-5.5.11) found by FuzzUSB (modified version > > of syzkaller) > > > > Seems the variable "npadch" has a very large value (i.e., 333333333) > > as a result of multiple executions of the function "k_ascii" (keyboard.c:888) > > while the variable "base" has 10. > > So their multiplication at line 888 in "k_ascii" will become > > larger than the max of type int, causing such an integer overflow. > > > > I believe this can be solved by checking for overflow ahead of operations > > e.g., using check_mul_overflow(). > > > > kernel config: https://kt0755.github.io/etc/config_v5.5.11 > > Great, can you send a patch for this? > > thanks, > > greg k-h I'm not sure the following works best. diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index 15d33fa0c925..c1ae9d2e6970 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -869,6 +869,7 @@ static void k_meta(struct vc_data *vc, unsigned char value, char up_flag) static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) { int base; + int bytes, res; if (up_flag) return; @@ -884,6 +885,8 @@ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) if (npadch == -1) npadch = value; + else if (check_mul_overflow(npadch, base, &bytes) || check_add_overflow(bytes, value, &res)) + return; else npadch = npadch * base + value; } Thanks, Kyungtae Kim