Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4111071ybb;
        Mon, 23 Mar 2020 13:45:26 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuwiNeVZ8x0aFfQVLxIHJbfCHyhqlgxtJ4JwaEIG+bxdWz6VMNxV5hQb3pWMgDjbd/yx2XU
X-Received: by 2002:aca:558c:: with SMTP id j134mr1016508oib.102.1584996326531;
        Mon, 23 Mar 2020 13:45:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584996326; cv=none;
        d=google.com; s=arc-20160816;
        b=mAD7/0/zQ45VwhYcEdPY/elYCJ5wBTgPUS/GEW642711/eip7gNmAA1yrJ9TSQQqs2
         b9jphpY1kMRR9i2lmHRmCTKw48kH4lCk1zxo3SrZk7OCRrNN6SO3t0BgoKmnstDJ7Bfk
         Aua6urqcjz7rM2FmtJhlSQJqDtooWRBEyiTyW6G/fFttwv5rhJ1VMpJyfcyrH6Wy/XNp
         qh4jPyQZi5tAY+0UqlNr7qExDIStQPNfgvfFomE+4BKFsTkbcPcAfL9cBRbOULGL6h3y
         0IR9GrIl+cTYa3kDXj+r7lr2Iou16y3QbHN5hbYU8HolUDz42GU9bg362+6433+qLS1z
         ZoHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=;
        b=XMzC/b8jL+qhEw/0mOnsVhOLgU2wVVpgksQPOCjem/p3ZYPV4J5DxERNnLtUwveiAB
         BNUvR34rzR82LTRBc/Vo0QG9vGlmo836PKs62ZUfbZhvE4U7NG33MnOEiLTn1shNtiko
         nTwKQMxrJzHGRgOohHh53oNlTyoKoxKrDeNfSyaAT/D5iYAE2slOa+jL0r+MN+ukgPmH
         lJtCCe/BpmUtfT8K5nZJZgMBY3ZyCL9DKyxcjGiBfw2wMqvc743vmU+59Fkq5ZBRA4la
         tfNVH15fFwRkK5XBmRgjjPLI2Jynpws0rx1U+JcQIZvgxbLZ0SXLurmIHCP7EdIHiOv2
         wAww==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="QZD/KgRP";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a6si3451126oto.34.2020.03.23.13.45.13;
        Mon, 23 Mar 2020 13:45:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="QZD/KgRP";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726145AbgCWUop (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Mon, 23 Mar 2020 16:44:45 -0400
Received: from mail-lf1-f67.google.com ([209.85.167.67]:37314 "EHLO
        mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725844AbgCWUop (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Mar 2020 16:44:45 -0400
Received: by mail-lf1-f67.google.com with SMTP id j11so11367035lfg.4
        for <linux-kernel@vger.kernel.org>; Mon, 23 Mar 2020 13:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=;
        b=QZD/KgRPHgcOxtb0qWhUKPvSZHXx/HGVixEwM+IWFrVubL8hnRtHer1OuNpH4SX2hM
         et/A57hTvPYZavJafDtMEIwBI2RqvlxrTruXy8fqS79oLTB9xNaxZ5+SV7JpbRzuvdCg
         1yByR6BBDe43ZDKfbVgD0TZhf3QtjUcKNI1S3uVmbSg5b69Gb1gr0+LDcDcY9e6E6bq9
         E3rB6iYP6yTcHa7eDfeld72008bfP8yEOtCRhjLSve4gf/TFGx+Ayi34Vhvj8SUNr3at
         7whfcwefkLPfp6Jiyll9s2NGZWA6w5U6NHk3FffeQRbES+Ahf8qiCsMKgE9opWmINOow
         jGFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=e061pcmiSocm5TCH2kexNo/1LtEisTcSsHnrvUPbEiA=;
        b=NKsq+4wZ73HrBCshQnayZKUdpqM806aIsFJ0IJysDPiiOTIQnIxTUnKbP299KITdo8
         CQG0mbAE08wuhFfhUH4pqu6cH5ihGmGGkeDdUzHxX8MXPgIDAwu9XEeoxLQRcvU/2weK
         OKKYgk0bmvDPUKMAKkvTsowU0d4wkuqufa1j3gAEbpatP9izB07IE2kT0jiGU/0a4cmU
         4Jj6tFTAqOjBdNc67s+mAEOO5VMz/4VWu+8z0VttEcu1yZLojHdmKHjrZ3hjYAZx+PSe
         oWZ9INvi9+qPkunzRDwpmdVytqXUMcOdE8TOnLMDyDpBk5UVNSIGIy8q5rzE2Hv4rKHw
         AfaQ==
X-Gm-Message-State: ANhLgQ29Tz6NXeZhp4CsMM0JEtHfMYBRHdlJEaQ9PclINQSJtg+0sO9L
        dExR3chSN1FoO26SoGnP/BoWxKeysPKzdVl/QAephbxo
X-Received: by 2002:ac2:548f:: with SMTP id t15mr14146896lfk.115.1584996282705;
 Mon, 23 Mar 2020 13:44:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAEAjamv3wT4aqF0y1_PHG_=cbzH-ATsP6TiV5Zt5Qc+ACVnOPw@mail.gmail.com>
 <20200323064616.GB129571@kroah.com>
In-Reply-To: <20200323064616.GB129571@kroah.com>
From:   Kyungtae Kim <kt0755@gmail.com>
Date:   Mon, 23 Mar 2020 16:44:31 -0400
Message-ID: <CAEAjamvv7LzaTBu-Xh5rg4r1-_NaDDGVoe9LZ7NmZv3gpLXkuw@mail.gmail.com>
Subject: Re: UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c
To:     Greg KH <gregkh@linuxfoundation.org>
Cc:     jslaby@suse.com, slyfox@gentoo.org,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>, rei4dan@gmail.com,
        Dave Tian <dave.jing.tian@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 23, 2020 at 07:46:16AM +0100, Greg KH wrote:
> On Sun, Mar 22, 2020 at 11:34:01PM -0400, Kyungtae Kim wrote:
> > We report a bug (in linux-5.5.11) found by FuzzUSB (modified version
> > of syzkaller)
> >
> > Seems the variable "npadch" has a very large value (i.e., 333333333)
> > as a result of multiple executions of the function "k_ascii" (keyboard.c:888)
> > while the variable "base" has 10.
> > So their multiplication at line 888 in "k_ascii" will become
> > larger than the max of type int, causing such an integer overflow.
> >
> > I believe this can be solved by checking for overflow ahead of operations
> > e.g., using check_mul_overflow().
> >
> > kernel config: https://kt0755.github.io/etc/config_v5.5.11
>
> Great, can you send a patch for this?
>
> thanks,
>
> greg k-h

I'm not sure the following works best.

diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 15d33fa0c925..c1ae9d2e6970 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -869,6 +869,7 @@ static void k_meta(struct vc_data *vc, unsigned
char value, char up_flag)
 static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
 {
        int base;
+       int bytes, res;

        if (up_flag)
                return;
@@ -884,6 +885,8 @@ static void k_ascii(struct vc_data *vc, unsigned
char value, char up_flag)

        if (npadch == -1)
                npadch = value;
+       else if (check_mul_overflow(npadch, base, &bytes) ||
check_add_overflow(bytes, value, &res))
+               return;
        else
                npadch = npadch * base + value;
 }

Thanks,
Kyungtae Kim