Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp117867lqg; Wed, 10 Apr 2024 18:18:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWW43Zd6U0piLOZN8lXopHOk9Z82B1oAJbOm5NkG+C1DDcuWePa57GumPUMDpocMPc16wsaSMU6MVBILXsW+1+LlQyuwKAwOGVkt/NdLw== X-Google-Smtp-Source: AGHT+IGg3AzQh3VSY58vvmFVwnsssKKS8YfmOM1k4sSMAWIwhL1vvnYBHITv2NUTzlw2sm3AhQSq X-Received: by 2002:ac8:584b:0:b0:434:6f65:8acd with SMTP id h11-20020ac8584b000000b004346f658acdmr4297145qth.39.1712798293861; Wed, 10 Apr 2024 18:18:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712798293; cv=pass; d=google.com; s=arc-20160816; b=AWDybRGVR+A1bSTKoFGSs94XP64EgufFZpgMdCqPXimLJgGSfOxaIM8M39iLpBT/rw UL92qKpbXcb3V540TSfzFPBbttAByKqD6N6wBf7iQr7U9nYTkH7ZPOQo7xZn2fKuXZpw PgbmLlhTSf9ho0fldggPksSWHHter9Q49T2Xggid8ntt1KDAUWxB1neoKuAJOL8PBv7W qrusJZZv6kVPdoFSEZNO15n1xUTGVhxw9VMIK+qbSVFEDCLqan6EeK9lnmN2owepfJ/u 7pyN6KDAFZ/i785/HyT8mZmiPSC4Gbk1Ry56LJ1DwxPQqrK5cHH9n15F1mb+NWyOBz8T +4qA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=IdNO/D8xCAne2eE4Ei5IJ6ZuRNSULbSmSxqEk1i36xg=; fh=D+mx3Di6ztW5sd0WAF+UzVY4H4FZSCNpL1pQOne66oM=; b=IC20zztl6X1A6JuP80oGThVtImghc47roVd7XGA9aJxbE7oVPLiVCpHi1S230TzojM 2iADajUeoz7HRQN4sAAQ8Y8PGipO+A+Tn69TtW/hYEtBe4w1V7Cr7Opi3RrKSkUH5Szx eDNHkvF4wRMQ9M0+jaF3gRPeyp30ACqlTKEdUdbiN4swvztir52eKpgm7LZTiRTN5Hhx leT0qnIgF1CcQsGtSQB07sASfmHTkDTZBgAvMBaXgFvFnTWwJElDcl+Zj85o0vgKB3tv nblLjZlbyifVGK+bdN0xXdZCyTts06QItQQChj96ksI1sdMhBYmf9MlozYR+wnmoWx2z CAWA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QCHcIdd2; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-139615-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139615-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id k9-20020a05622a03c900b004344673572dsi441744qtx.242.2024.04.10.18.18.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 18:18:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-139615-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QCHcIdd2; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-139615-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139615-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 965BB1C227C4 for ; Thu, 11 Apr 2024 01:18:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1753E612D0; Thu, 11 Apr 2024 01:18:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QCHcIdd2" Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD7A1F9C3; Thu, 11 Apr 2024 01:18:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712798283; cv=none; b=EBhAz/7jFlrZZ7unQfoU9WeF3SeiEiQ2WzJ5ZDzw3LGxyyyMX4KfKdbQ0eohFVraHoOwSIqA07Y614FfnGCh0FjDSVCcACnZoQCNPAE+6WLV9CiXD9MCaJxjndhMg/VBls2xvKzXxKdkH0KOGLYPOmZpSg38Du9qwILnz92ryYA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712798283; c=relaxed/simple; bh=IdNO/D8xCAne2eE4Ei5IJ6ZuRNSULbSmSxqEk1i36xg=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=C70VgkH+DbTX96qJfn+PAjJuqrXDAwGM/hEew8/N1Xi9nR430PKkoOhaFFiDlZnvzRxgT7iKdEO2wkRy6aWh3rulny3rcdL8kaLOsdj6XQ/Y3OR7KlHUOpwZJJ1lDR8L2JVspU4dQyduIHQlay8IbNRJwY+8gw+3eNhFcFyZBeY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QCHcIdd2; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-a5213f0f85dso129853066b.3; Wed, 10 Apr 2024 18:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712798280; x=1713403080; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=IdNO/D8xCAne2eE4Ei5IJ6ZuRNSULbSmSxqEk1i36xg=; b=QCHcIdd2+sWA5RxIc1sk4QNuaKkvXlFzAvEmq1lWY7Zw8FFDgbSm14BCScS4jtKmSl rspKlddqF7dMx8G1A9ADkaCmw7Mq5f8e9Mp/CRwv8GVTPjBiNgF9bJ4G+oS3GgvSsTDI NW1kuIdl9C6W5QOr6KWT4dV+vK1Dp+LI0JyHF0ipqWr+j3dZBYTanhpCwBGhOGoG3uek QBqOO7JLdKJO+R6rcxH9m9KZLTDQsVgKI2rY7bWsx/4wi2s2ea8o0CEzpruk1w8l7Vc7 mJZas04jC5INde3Pf6NRrso/Yh6th8SjS83Ilq2rARpaCN0pLq4ve3d9cs2VzzFINhDM 0Kdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712798280; x=1713403080; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IdNO/D8xCAne2eE4Ei5IJ6ZuRNSULbSmSxqEk1i36xg=; b=xDvPNtnWgS4x/Muy5IyWYhceTTm/DAtds/52UyHxXXfRHPPeB8ip/fpnvR9oRDeu4q xaqVRd56rWfQwz6ZrceAcJxGw5mjMbQCbEdCoyE62ma364I2dTQmoYE12FnuS09EbBIE Q+yR1CItdMKrnaFa798IRglFqdqPIX75PrGcz0t797tSjdX6J4c4l4HCA3zvWXn1Ygeb RxrH9LoS38njSTZzcxut9mifQPEInu13wwFa8wFgrzktNdFxABgFelpPkAK397kqOnu9 brDsUCumbF3Ymj9Vv8UVVqGhnZrYeCaM9I24575Iv7p1IdYze3T/OxfJCKuG9nj/tzjP g5EQ== X-Forwarded-Encrypted: i=1; AJvYcCUZQSEmfjONypy+6yg3rWZE6Cyms9ax8Gp/KQBiGyZGeWfpJ9AdAUyz1LoiPopeFNK00G6zk49zaEa68rVyZ8BdLtfUNESlY3jHQg== X-Gm-Message-State: AOJu0YzLXeTgp7hPS9RqVtXuHou4xoZs6acxaumkgioZG4dBio20OKhs vpq4cHvzSfPC72WpEbNw3Uqo6Is9HrDWN+KsJaPwZHTBzs9WezyVb17JOcoVP7DVpqe0/t8gwZD INLM9MEMqYPwUn34Qg0j7uNlbcqM= X-Received: by 2002:a17:906:7308:b0:a51:885a:c0a with SMTP id di8-20020a170906730800b00a51885a0c0amr2807595ejc.61.1712798279840; Wed, 10 Apr 2024 18:17:59 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <2d5e3b6c-3a66-4f74-8367-51fa55bf0a1a@acm.org> In-Reply-To: <2d5e3b6c-3a66-4f74-8367-51fa55bf0a1a@acm.org> From: Sam Sun Date: Thu, 11 Apr 2024 09:17:48 +0800 Message-ID: Subject: Re: [Bug] UBSAN: shift-out-of-bounds in sg_build_indirect To: Bart Van Assche Cc: linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, martin.petersen@oracle.com, jejb@linux.ibm.com, dgilbert@interlog.com, syzkaller@googlegroups.com, xrivendell7@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 10, 2024 at 12:59=E2=80=AFAM Bart Van Assche wrote: > > On 4/9/24 05:51, Sam Sun wrote: > > We further analyzed the root cause of this bug. In function > > sg_build_indirect of drivers/scsi/sg.c, variable order of line 1900 is > > calculated out using get_order(num), and num comes from > > scatter_elem_sz. If scatter_elem_sz is equal or below zero, the order > > returned will be 52, so that PAGE_SHIFT + order is 64, which is larger > > than 32 bits int range, causing shift-out-of bound. This bug is tested > > and still remains in the latest upstream linux (6.9-rc3). > > If you have any questions, please contact us. > > Thank you for having root-caused this issue and also for having shared > your root-cause analysis. Do you perhaps plan to post a patch that fixes > this issue? > > Thanks, > > Bart. > Sure, I am glad to help! But it is my first time submitting a patch, I need to find some instructions. I would appreciate if you could help me out. Also, I need to double check the patch to avoid introducing a new one. It might take some time. Best, Yue