Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp219986lqp; Fri, 12 Apr 2024 15:49:43 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWpeAT4ILgFzmXVDye4z4JFpNXhE1+Jdw3CQ3VGFTmd+aEhwEjxQFozLRd9nTAK3X6j4i1D1N+AhQbJpAvHMer6opQxCxmnrrgSzmDE1A== X-Google-Smtp-Source: AGHT+IG4HLog1HeBvCcLjmDOqyLMsrE0MeefuFtQKE0p1RB8ssYwRYyvLDd0quMWnuCuaTinV1Ap X-Received: by 2002:a05:620a:2910:b0:78d:6b57:9210 with SMTP id m16-20020a05620a291000b0078d6b579210mr4698690qkp.75.1712962183510; Fri, 12 Apr 2024 15:49:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712962183; cv=pass; d=google.com; s=arc-20160816; b=gC+2nmMf1n+Tq9+FH7dBrtamNbiH3+8wwk7+KJUwBaljJWdMqNLMCGIBok6b2o7jem dTo3ctPgYkTi9RmqkK4oZnSjZWeKBR8AHGhzCcPu0znWlOI0OTjDuqBcJ1Vg7biRdkQp bNh55LKwM3RpmwjqtLu1LgkAc5GyTTwtbPsrMvAz55H3gOMnrF2phnBk/sGFyWrwe5zn m1mGrMPKN4/m6+3xZrJHj7adDPZ3zgCi2IzzJbi0QnTCUBX6Hun7yqFP+vs9qhC9dD8q sznHyLWT68QGf9qWMeU/zYRS8foUHV+tLET2cp1qf5lZgZnRx/RczkRNd4DWHf4F0bEh vAdA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=czbZbnWbOnnHwe4/SxmmZnUfrVFJbZlvz64gCqIYWi4=; fh=jI9L9kNfOMFGaqMF9O54FBPddpqiYkQ8WtKHkgN1VAM=; b=LP4Da8dYAAN9PylmOJbwKv0Xgav0GoYB6A3z1cOPo4Nqpl8PJY9L4Xu4koplGxj6h7 n51S0pavCrp6+UgwSuWrMf2Ia0gRAlLzQ1FQOjGu6QS0ETpQnKq1lsGcAtspteeJ2D2P bTEPia2rviF2zdWgWRTFGpIxcKB1RaUXbIbxaYJ5eM8jaYh4BEunp+4e3ZCLMpOqcHlP mn/1SECiWhjFxWFiUD8kxEDRcFal8ZUbinbBDr/yzZb5zr4wZUaPrSEcBIEC09PxDYi3 L9eelvpY8h/1pSEo4L/XabYfqNhtpwhzpWvzJicf848cd63vCgU/oyqy9Fv2I+L7CyZa QtmA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@acm.org header.s=mr01 header.b=AHMttIcm; arc=pass (i=1 spf=pass spfdomain=acm.org dkim=pass dkdomain=acm.org dmarc=pass fromdomain=acm.org); spf=pass (google.com: domain of linux-kernel+bounces-143417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-143417-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=acm.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id wg19-20020a05620a569300b0078d678e7efasi4838865qkn.687.2024.04.12.15.49.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Apr 2024 15:49:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-143417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@acm.org header.s=mr01 header.b=AHMttIcm; arc=pass (i=1 spf=pass spfdomain=acm.org dkim=pass dkdomain=acm.org dmarc=pass fromdomain=acm.org); spf=pass (google.com: domain of linux-kernel+bounces-143417-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-143417-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=acm.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 13E801C21B83 for ; Fri, 12 Apr 2024 22:49:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0AA4D15099C; Fri, 12 Apr 2024 22:49:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=acm.org header.i=@acm.org header.b="AHMttIcm" Received: from 008.lax.mailroute.net (008.lax.mailroute.net [199.89.1.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47A67225D7; Fri, 12 Apr 2024 22:49:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=199.89.1.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712962173; cv=none; b=ZU6627XWmPu5P8IDw6/lvXKOJq1FlOQGnFVa5UyRCrS78RaVYJd26FtiDOADHtLCI44iNfLpvRwqQWjx9qFap45FfS/aJoku9AcTPUgVNWQaYARxrLJX47kbII0nW5oB0ipUrdnMGQ4LG/0Awse5yQMOlDXE2vjWZtZbGPTuics= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712962173; c=relaxed/simple; bh=/jT/AmCpsrHeiPRDhEexKpZTtbNP+mUYlC8O4cRo/vk=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Rv3zYxjF7Rad4QLYfnefGy4F293RzMVxfDiDIlVXWZ71KEb1Xazoqsf/RxYCi7cdkHY9b4/V080eboNcidN6nTYb3IUwBwpKpHrYK7oL3IPHk+07gGdTwQ6AIyd2dauR5EJnKj+pHp052Hbjm51qpUDTyXnQYZURCC3kukgsxNk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=acm.org; spf=pass smtp.mailfrom=acm.org; dkim=pass (2048-bit key) header.d=acm.org header.i=@acm.org header.b=AHMttIcm; arc=none smtp.client-ip=199.89.1.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=acm.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=acm.org Received: from localhost (localhost [127.0.0.1]) by 008.lax.mailroute.net (Postfix) with ESMTP id 4VGWwB4QbQz6Cnk8t; Fri, 12 Apr 2024 22:49:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=acm.org; h= content-transfer-encoding:content-type:content-type:in-reply-to :from:from:content-language:references:subject:subject :user-agent:mime-version:date:date:message-id:received:received; s=mr01; t=1712962166; x=1715554167; bh=czbZbnWbOnnHwe4/SxmmZnUf rVFJbZlvz64gCqIYWi4=; b=AHMttIcmjmw0T39PNhphPSj+4P1PjotE5mhXPaYm AUtDNwHzyNOSpyerjkghvZrXc4Ul3vedUQq+G8hZ/HgS66uguilOhJAquPG8RFTj 3fS5c9dP6ahi8fI6JPyV4FF/2jeOOya3HlwAHk+/U1XQtt5jo0lsPtiQIU4YbC9T QdXKajd2mWFwgkc0rZ0E3BJzwvOXaODWDNpMGKaV7Dmf22+rCyZQvpVfGzMAFPWc pC9vSm/5sMqMXmd28KoJ0TXsX9RrPSrTsFfyc5EZmEfIogJc1W240XIwsUjwciPH cQJhoGlHjGbMs13kS8wOPmG1r2TmO6tvvOebGHbpyVkpZA== X-Virus-Scanned: by MailRoute Received: from 008.lax.mailroute.net ([127.0.0.1]) by localhost (008.lax [127.0.0.1]) (mroute_mailscanner, port 10029) with LMTP id iI0JBVcoaPHh; Fri, 12 Apr 2024 22:49:26 +0000 (UTC) Received: from [192.168.3.219] (c-73-231-117-72.hsd1.ca.comcast.net [73.231.117.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bvanassche@acm.org) by 008.lax.mailroute.net (Postfix) with ESMTPSA id 4VGWw540GXz6Cnk8m; Fri, 12 Apr 2024 22:49:25 +0000 (UTC) Message-ID: <2ab31b48-5f89-4ada-848d-89b844f6a6f5@acm.org> Date: Fri, 12 Apr 2024 15:49:24 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Bug] UBSAN: shift-out-of-bounds in sg_build_indirect To: Sam Sun Cc: linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, martin.petersen@oracle.com, jejb@linux.ibm.com, dgilbert@interlog.com, syzkaller@googlegroups.com, xrivendell7@gmail.com References: <2d5e3b6c-3a66-4f74-8367-51fa55bf0a1a@acm.org> Content-Language: en-US From: Bart Van Assche In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 4/10/24 6:17 PM, Sam Sun wrote: > On Wed, Apr 10, 2024 at 12:59=E2=80=AFAM Bart Van Assche wrote: >> >> On 4/9/24 05:51, Sam Sun wrote: >>> We further analyzed the root cause of this bug. In function >>> sg_build_indirect of drivers/scsi/sg.c, variable order of line 1900 i= s >>> calculated out using get_order(num), and num comes from >>> scatter_elem_sz. If scatter_elem_sz is equal or below zero, the order >>> returned will be 52, so that PAGE_SHIFT + order is 64, which is large= r >>> than 32 bits int range, causing shift-out-of bound. This bug is teste= d >>> and still remains in the latest upstream linux (6.9-rc3). >>> If you have any questions, please contact us. >> >> Thank you for having root-caused this issue and also for having shared >> your root-cause analysis. Do you perhaps plan to post a patch that fix= es >> this issue? >=20 > Sure, I am glad to help! But it is my first time submitting a patch, I > need to find some instructions. I would appreciate if you could help > me out. Also, I need to double check the patch to avoid introducing a > new one. It might take some time. The process for contributing a patch is as follows: 1. Clone the Linux kernel tree for the subsystem you want to contribute to. For SCSI, this is the for-next branch in git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git 2. Make your changes to the code. 3. Commit your changes (git commit -as), chose a patch title and explain what has been changed and also why. 4. Convert your changes into a patch, e.g. by running this command: git format-patch -1 5. Check the patch with scripts/checkpatch.pl. 6. Send your patch with git send-email to Martin Petersen and Cc the linux-scsi mailing list. More information is available here: https://docs.kernel.org/process/submitting-patches.html Best regards, Bart.