Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp1873714pxt; Sun, 8 Aug 2021 04:29:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyeLmFDXsW0x998YQ+MySLPY+UiXWOvsBsm5Z91aopYhyTrEWkjaKMs80nHfi4krSbCB0ZU X-Received: by 2002:a05:6402:402:: with SMTP id q2mr4755991edv.387.1628422144883; Sun, 08 Aug 2021 04:29:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628422144; cv=none; d=google.com; s=arc-20160816; b=eLLFgjfrmlitOTrZfTb9uT8SP34D/drvUfHGnQW6LjQh/KEvudwlJknKKJAWkH0SqC eWKvmTh+Z+SRgq4AFZSNY4prd+/1/oncbPcnKWYKUrDUN6M8DfA32Zo83aqUNtrojXwP GfBZa98RBeKjiYLZtQpMhT/Rq8la9i9ZiPVO8eXeJRDLEXQzdG395gTk7w/Cp3ozBIx3 ovBIs0CcB9MOgHazq5swe4eYTprr+UJdnlpjCkzwK/gVv0MTCjw1dHbPtFcR/IPNCnEz to7OupiNw5xMP3aLz9fHwrY3BY7gNCSsk6FSjGgHW3qBMEGhPaVkyz+QuWE0Gqugs13P d0rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=xsfrNNE8GxPsdjtj4sojtNxTKX7R2udMmOfCycvkOA4=; b=lObcSIIsyDPtepGW0MWyD/22jo7tqQBT3tFE9x9CbY1nhSxf+WVHFPUv7lelynpEG0 oUPnjpYMbGJUpkdzA4xSI0LaVXEObYDPPWVHyLNYF3UT3dXd9U5i+oXzkaQ4AMqh8NPw xro8XSIUp90vQDEHlPD6ib6oz4rU6GdLetwQzlEWDvKM/wvlfLzzagSIDS7OtYuMTSF9 gDgfW5jK1kunCjPaVDZ+9MX6RY6fdTWXmkE/wtrXZgL+umDK5UizK4DEbGXfFBdkuKg8 M//Eg85plxGkk/wrC4JDWEtB2356v+ezx0QEIddGL6hFoKRog/uFpu3wejODyl7/gHW2 gbsg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u16si13826058ejt.97.2021.08.08.04.28.41; Sun, 08 Aug 2021 04:29:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230262AbhHHLWN (ORCPT + 99 others); Sun, 8 Aug 2021 07:22:13 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:49927 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229473AbhHHLWM (ORCPT ); Sun, 8 Aug 2021 07:22:12 -0400 Received: from fsav113.sakura.ne.jp (fsav113.sakura.ne.jp [27.133.134.240]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 178BL5xU071398; Sun, 8 Aug 2021 20:21:05 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav113.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav113.sakura.ne.jp); Sun, 08 Aug 2021 20:21:05 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav113.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 178BL5rw071395 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sun, 8 Aug 2021 20:21:05 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] profiling: fix shift-out-of-bounds in profile_setup To: Pavel Skripkin , rostedt@goodmis.org, tglx@linutronix.de Cc: linux-kernel@vger.kernel.org, syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com References: <20210716190409.25523-1-paskripkin@gmail.com> From: Tetsuo Handa Message-ID: <7bc788bf-ba81-5732-957e-55edf522d1ca@i-love.sakura.ne.jp> Date: Sun, 8 Aug 2021 20:21:02 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20210716190409.25523-1-paskripkin@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021/07/17 4:04, Pavel Skripkin wrote: > Syzbot reported shift-out-of-bounds bug in profile_init(). > The problem was in incorrect prof_shift. Since prof_shift value comes from > userspace we need to check this value to avoid too big shift. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-and-tested-by: syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com > Suggested-by: Tetsuo Handa > Signed-off-by: Pavel Skripkin > --- > kernel/profile.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/kernel/profile.c b/kernel/profile.c > index c2ebddb5e974..c905931e3c3b 100644 > --- a/kernel/profile.c > +++ b/kernel/profile.c > @@ -42,6 +42,7 @@ struct profile_hit { > > static atomic_t *prof_buffer; > static unsigned long prof_len, prof_shift; > +#define MAX_PROF_SHIFT (sizeof(prof_shift) * 8) I came to think that we should directly use BITS_PER_LONG, for the integer value which is subjected to shift operation is e.g. (_etext - _stext) part of prof_len = (_etext - _stext) >> prof_shift; in profile_init(). Since "unsigned char" will be sufficient for holding BITS_PER_LONG - 1, defining MAX_PROF_SHIFT based on size of prof_shift is incorrect. Also, there is unsigned int sample_step = 1 << prof_shift; in read_profile(). This may result in shift-out-of-bounds on BITS_PER_LONG == 64 architecture. Shouldn't this variable changed from "unsigned int" to "unsigned long" and use 1UL instead of 1 ?