Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp1958072lqe;
        Tue, 9 Apr 2024 06:00:02 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCX6j92v2uTKj80Gtao0pnwsyPWYDiHZvuqpWravHw+faCk42ZK8inEYznsveR5jJeijQrvrmCfr3jC4hvALI/gqfTAFh1vIaMUoqbEnAQ==
X-Google-Smtp-Source: AGHT+IHsaHtJGo45/br1/q072Pkt2uWvCCsD+JiAzlGRm2KntAEXL+RDvzItVp17fM2Ad+V/ji3x
X-Received: by 2002:a05:6359:4289:b0:186:2d41:4091 with SMTP id kp9-20020a056359428900b001862d414091mr4827416rwb.5.1712667601893;
        Tue, 09 Apr 2024 06:00:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712667601; cv=pass;
        d=google.com; s=arc-20160816;
        b=ZuEzwVoTp1yNOpJbKjUWI87W/u5q1l5HgDqntoBkDF8+xbH+3AIFHc9GvNfCByZ1Oi
         XoGxx1Dn2NrBC+OK9eTP20DE1IRZlZ19t56mw/SOhg4XOcaIrLrFm0CBXBZYwWuJQ2Yd
         gPfHM7csurpacXvJiJ9ee/QRdREVlQ4UMrOGf9cdStOURYWvTylbB5PgobL8wYd9ljk+
         iC/CqCpc5yseJN0GVSwE8wkzDF/KcD68dWapZ7G6/m94vuoCYv24ZORVy9uJYParYr7t
         GaUnOdH/7WRUNlrsT8AFmHEi5Vo/sNjBfjVIy6q0J/PfLoUZEwACVkYLT7YOU/pnNkmW
         iFVg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=pLZRWIxxIpIyRano383QAFQNgeysi1fKEMitJfkcMIg=;
        fh=l0Wh2SAcU2zOHtUAjGyhX0aGhnD3lScRjgdD7IO6poI=;
        b=LJwvvK6V+Y70WtjocfHsILCfY0QQvP2XMsw547b/iKOEJU0rIe+7vK9mpZK0BtwH7a
         ZZS4UZixkiqfR0LXY0fQmWeGTNMoXGAAwvmkfJuVWaFqL0VsDK1nMcRZxDc/XwZLTXI0
         r3XkVp2A+IgavwIiwHgOCnM2K8195QlDnZhQGgu3WP6EHhyubOQW7u8iMHc2WKUZzPW0
         dYYswIotS2XBUsYbWxQJ34QvgC2y8LdxcbHZOAIUkkdrDjZwMj6EBr60DwxlN/AU8/Qn
         ucQkNJHP5sIKXqNVZkgocLS0IBiEBzJLC7GQaVFc3MKe6QALEeDqE/XsndqWEeW/sxmo
         Vf0Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=TEsNCgBU;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id 24-20020a631258000000b005dcb4f1acc6si8670100pgs.176.2024.04.09.06.00.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Apr 2024 06:00:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=TEsNCgBU;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136888-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id BD7BE28A59D
	for <linux.lists.archive@gmail.com>; Tue,  9 Apr 2024 12:51:38 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5925512EBC0;
	Tue,  9 Apr 2024 12:51:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TEsNCgBU"
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE5AE12D753;
	Tue,  9 Apr 2024 12:51:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712667080; cv=none; b=lQTL/pVBk/FSX8c8V2gPgvkVoJ5m5LBHfpGZnlW8t6iPSKaJqoj/7bmtru/NXoMCrYUCOOSnwsDc9IZnL1/si9jKJAJFQb7gjBf9sXl0o5E5zfNYjyKzTBTni/KYgVjLLI0QFlkTFuPDk8FZl+DkJTc1KzhWHKJ3W8EG9f4wmDk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712667080; c=relaxed/simple;
	bh=DjNT0L5DEzFWRydMIfmLZI/hD2TY6TxAHIauI8t1flQ=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=glGkR8tihU6wGZ+/ePK/5qo/oSTwnM5os7iOw/glZNH2XjcEK82kuzlh0mjGDPqdxcBIoeVuyPmsabPMqQwtoPUiqU67I5CpgxRZV0Fi38p52bigyB5YJ6HzGb9JQMDyHWUMhH2opLbHk3zjkQvuJNNZQtHaSci+uYq/iQgC1UA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TEsNCgBU; arc=none smtp.client-ip=209.85.208.42
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-56e48d0a632so4808470a12.2;
        Tue, 09 Apr 2024 05:51:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712667077; x=1713271877; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pLZRWIxxIpIyRano383QAFQNgeysi1fKEMitJfkcMIg=;
        b=TEsNCgBUnSDGjuWAwZ6tEQiGc+Dk10FI24vnZMah2UzznwmbSo691z+lAKF85ZScDc
         Q4X7Rx1RL88dJ2sg7ouSzZDXhIQL4vyAG0ImliKf3HXDcFNsggO2oRtWpRC3pP1l9Zje
         BjWRvS3HQwZXmApOUP4uWAw0iZ9DB8xCB+P1wCdP9+CrvVpgoX0wwWF6ZJn+Jd5XqIGz
         kHr83CV7Xdr0Y3u6jbikzq7+za10A+69W16LjR02gYrOXkxMH+a8Qwwb0Q5QZJpXxvnw
         3xUYX70LeK8sYEiKXNGhE5Gbj1h2B4giuEUPsv7yfrcc+Bq8LMD+ujrsY3hDt/BsCqAr
         YoCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712667077; x=1713271877;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pLZRWIxxIpIyRano383QAFQNgeysi1fKEMitJfkcMIg=;
        b=c8B3A43rC77gbJY6UaStMEZLzDFIOhtFrCofmSBFBppX0vVSG5njY9oyJhJrSh1ycn
         eCaabwjRZBfpCZwB+nF0gQR/dTnkF6cx2IAGjl8cCSyL66Lc0G5Wj7wc+mYVzKtqKmWG
         s43+MWZw6zRhBuPrCNaYcTZyCzmorJh0nDlZaW8ioyeRxlJinBFkv4rOIVVUPoK7RoRX
         ksKxr6kkAkTTsGu2hTNDC69MKHPnA39KdGo8klz1f+vs9CSFtjn77N3F5a+mGclHeUY4
         60KGi5sxIv18wM14SBsHEMRZDc4g8ugEfJfYUXu2hIU9HZD5kw2WKf9TZRvnEoRkDhc1
         5z5w==
X-Gm-Message-State: AOJu0YyKax/bE041JyPXCLwyMyvofG3a3J1HgXY5/zFSNzZGvPP63mZ3
	KZzwK8SJpY7ijpm7Q76e+SuOlFln1DSPaBqbN9pFaKCBp26IhNP6SMVtJCWYP+xgedkCksG79jS
	AI/i5YsnDwyEvqx7GBBBvZqrbg4hvcQkEfT+a80M5
X-Received: by 2002:a17:906:b24b:b0:a4e:7b8e:35ae with SMTP id
 ce11-20020a170906b24b00b00a4e7b8e35aemr7764103ejb.38.1712667076605; Tue, 09
 Apr 2024 05:51:16 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <CAEkJfYOs-szTK0rYvDw5UNGfzbTG_7RvjqFOZA=c6LXvxdUt2g@mail.gmail.com>
In-Reply-To: <CAEkJfYOs-szTK0rYvDw5UNGfzbTG_7RvjqFOZA=c6LXvxdUt2g@mail.gmail.com>
From: Sam Sun <samsun1006219@gmail.com>
Date: Tue, 9 Apr 2024 20:51:04 +0800
Message-ID: <CAEkJfYMcdmXAhe9oTpEPGL+_661PNAvM58Y+irwnbLW8FKohNw@mail.gmail.com>
Subject: Re: [Bug] UBSAN: shift-out-of-bounds in sg_build_indirect
To: linux-kernel@vger.kernel.org
Cc: linux-scsi@vger.kernel.org, martin.petersen@oracle.com, jejb@linux.ibm.com, 
	dgilbert@interlog.com, syzkaller@googlegroups.com, xrivendell7@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 25, 2024 at 8:57=E2=80=AFPM Sam Sun <samsun1006219@gmail.com> w=
rote:
>
> Dear developers and maintainers,
>
> We encountered a shift-out-of-bounds bug while using our modified
> Syzkaller. It is tested against linux kernel 6.9-rc1. Kernel config
> and C repro are attached to this email. The UBSAN report is listed
> below.
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> UBSAN: shift-out-of-bounds in /home/sy/linux-original/drivers/scsi/sg.c:1=
902:13
> shift exponent 64 is too large for 32-bit type 'int'
> CPU: 1 PID: 8078 Comm: syz-executor748 Not tainted 6.7.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
>  ubsan_epilogue lib/ubsan.c:217 [inline]
>  __ubsan_handle_shift_out_of_bounds+0x24b/0x430 lib/ubsan.c:387
>  sg_build_indirect.cold+0x1b/0x20 drivers/scsi/sg.c:1902
>  sg_build_reserve+0xc4/0x180 drivers/scsi/sg.c:2012
>  sg_add_sfp drivers/scsi/sg.c:2194 [inline]
>  sg_open+0xde4/0x1810 drivers/scsi/sg.c:350
>  chrdev_open+0x269/0x770 fs/char_dev.c:414
>  do_dentry_open+0x6d3/0x18d0 fs/open.c:948
>  do_open fs/namei.c:3622 [inline]
>  path_openat+0x1e1e/0x26d0 fs/namei.c:3779
>  do_filp_open+0x1c9/0x410 fs/namei.c:3809
>  do_sys_openat2+0x160/0x1c0 fs/open.c:1437
>  do_sys_open fs/open.c:1452 [inline]
>  __do_sys_openat fs/open.c:1468 [inline]
>  __se_sys_openat fs/open.c:1463 [inline]
>  __x64_sys_openat+0x140/0x1f0 fs/open.c:1463
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> RIP: 0033:0x7f48cf37f80b
> Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85
> c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d
> 00 f0 ff ff 0f 87 91 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
> RSP: 002b:00007ffd29cd7d40 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f48cf37f80b
> RDX: 0000000000000041 RSI: 00007ffd29cd7dc0 RDI: 00000000ffffff9c
> RBP: 00007ffd29cd7dc0 R08: 000000000000ffff R09: 00007ffd29cd7c50
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000041
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>  </TASK>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
>
> If you have any questions, please contact us.
> Reported by: Yue Sun <samsun1006219@gmail.com>
> Reported by: xingwei lee <xrivendell7@gmail.com>
>
> Best Regards,
> Yue

We further analyzed the root cause of this bug. In function
sg_build_indirect of drivers/scsi/sg.c, variable order of line 1900 is
calculated out using get_order(num), and num comes from
scatter_elem_sz. If scatter_elem_sz is equal or below zero, the order
returned will be 52, so that PAGE_SHIFT + order is 64, which is larger
than 32 bits int range, causing shift-out-of bound. This bug is tested
and still remains in the latest upstream linux (6.9-rc3).
If you have any questions, please contact us.

Best,
Yue