Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4777366ybb; Tue, 24 Mar 2020 05:13:41 -0700 (PDT) X-Google-Smtp-Source: ADFU+vurgV991nopC7O6gqsh2MWYKDSqv9oyDGVL3erVVT3bgMkzAqpPQig3duB0A6lSbTrkNXtp X-Received: by 2002:aca:3b82:: with SMTP id i124mr2095026oia.61.1585052021652; Tue, 24 Mar 2020 05:13:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585052021; cv=none; d=google.com; s=arc-20160816; b=e1ipTjGQTl6Vhao+Bz6MxYlDPq9wFd+xSourXQYtYxbYRYag59PSjqNbN1s/lzIBYo qn8/Hqm8qASaR7ai9vO1Zdac/D6ZwcwwO6m90NFFgOqfSesNRhPlieIY535UyNQN/CFZ mZifzLs28sv2G9gpGW1WKee8xFN6SZN4MLA2t1ikU9dkF7F7aqbaX8gwoG0VfGoWCX7g LIoed4OXwmzpMR3kvr/ipLNm3nOzLYSH5lXbA+lL62L8f6YswViqsAVxHgNFgBZL5HZU mrHJUq3lIpwjPITy4lK9iVdjIn5H6ra4Mhd1JN8IIUEAwbzP1U3g4sglBLeVOZH2n6ly uTpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=YSWp+7PJMLhNs3+HbD9ZmXViXd5mW0vuxfCLzDu2a2A=; b=T8LZrn1nKdKxd0RNhROm9tZHOfD+Z/gTtgIbeSker63zc3Jm1OLBkU8dmknVt4387r 5Iaw/Nf9WN3mUDFo+mqZ4hORMVRtmIpJ59+DZjOEHC0oXeQksZv/8RD+5eIrFZ3CkKO1 ofpvdsbzDbyBT1m+FWxfx0Zse4HlCPSCUuKmf700b7z79MxCgGkPsAQnQ5oaMTmykOHz fCxCFJ5Dz2ZTb2VtX4DvcjEmw0SUd/KJvlIQm1r0L7iXNP7edEdLbBOX0c65gYnhZTBz 97z3623vSe2olajjl8czF2a2gHI53fr9N/IZwICx7fE9ZOPNCyZ7m1GXq8cZqhrNrLFK 9+5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=htbhJMh0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g206si8734698oib.17.2020.03.24.05.13.27; Tue, 24 Mar 2020 05:13:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=htbhJMh0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727448AbgCXMMj (ORCPT + 99 others); Tue, 24 Mar 2020 08:12:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:54446 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727066AbgCXMMj (ORCPT ); Tue, 24 Mar 2020 08:12:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 95E8620714; Tue, 24 Mar 2020 12:12:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585051959; bh=Bphhgfsbe3p7ol339Zk73OCu5K+a0Ym80sypX+2urW8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=htbhJMh0x5pzv+XcQvFnFLIRlXvmGZDclymYJtwvKThgR3Xd3rb3+/KTMp/VGRmcc bGxbBZ3Z6smX8zAncVv7pRncDNP6ORZ6Li13BuClqCfitCivXW5LKPlj46yCy5p4TA v2zvnsjQo6tgBPBevP+QzE6Jvr/fFaupWoYHgOVk= Date: Tue, 24 Mar 2020 13:12:36 +0100 From: Greg KH To: Kyungtae Kim Cc: jslaby@suse.com, slyfox@gentoo.org, Dmitry Torokhov , rei4dan@gmail.com, Dave Tian , LKML Subject: Re: UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c Message-ID: <20200324121236.GB2333340@kroah.com> References: <20200323064616.GB129571@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 04:44:31PM -0400, Kyungtae Kim wrote: > On Mon, Mar 23, 2020 at 07:46:16AM +0100, Greg KH wrote: > > On Sun, Mar 22, 2020 at 11:34:01PM -0400, Kyungtae Kim wrote: > > > We report a bug (in linux-5.5.11) found by FuzzUSB (modified version > > > of syzkaller) > > > > > > Seems the variable "npadch" has a very large value (i.e., 333333333) > > > as a result of multiple executions of the function "k_ascii" (keyboard.c:888) > > > while the variable "base" has 10. > > > So their multiplication at line 888 in "k_ascii" will become > > > larger than the max of type int, causing such an integer overflow. > > > > > > I believe this can be solved by checking for overflow ahead of operations > > > e.g., using check_mul_overflow(). > > > > > > kernel config: https://kt0755.github.io/etc/config_v5.5.11 > > > > Great, can you send a patch for this? > > > > thanks, > > > > greg k-h > > I'm not sure the following works best. > > diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c > index 15d33fa0c925..c1ae9d2e6970 100644 > --- a/drivers/tty/vt/keyboard.c > +++ b/drivers/tty/vt/keyboard.c > @@ -869,6 +869,7 @@ static void k_meta(struct vc_data *vc, unsigned > char value, char up_flag) > static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) > { > int base; > + int bytes, res; > > if (up_flag) > return; > @@ -884,6 +885,8 @@ static void k_ascii(struct vc_data *vc, unsigned > char value, char up_flag) > > if (npadch == -1) > npadch = value; > + else if (check_mul_overflow(npadch, base, &bytes) || > check_add_overflow(bytes, value, &res)) > + return; > else > npadch = npadch * base + value; > } Does this solve the issue for you? If so, can you fix it up and resend it in a format that I can apply it in? thanks, greg k-h