Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp576638lqo; Fri, 10 May 2024 08:25:04 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU6wQDubK7cc+pG6x9h23qhl2OoRil0YH0LFF2dz+nK8u4jSjaHCe9+Nsg3FPP8B0fjH2O8cSCaAaG5MJCDpu0y8TIXgqxvMF//1V/pMQ== X-Google-Smtp-Source: AGHT+IGl0jpdbwWv6X9TaBJ7jtAMeibX9V38CvHNDsF/RbpdR6b6no2ztbxQC0AMq1ysWy2YKJ/5 X-Received: by 2002:a05:6e02:1488:b0:36c:8646:159e with SMTP id e9e14a558f8ab-36cc14ab555mr35048385ab.17.1715354704410; Fri, 10 May 2024 08:25:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715354704; cv=pass; d=google.com; s=arc-20160816; b=xX35RE0tWySIzAgv3IY2HsliDp9dH4i91A/DtOGFhHNWZ35k0/B2+N2ycsjmrteTg6 Q+NRfMa7BKnnBRw9P2ZpUoo0DrfVfvuTmxFY87kZQnssw31/45P/E9azFCus/rBRcrdV N5k1qqxuaG+JdJ4768BNxcOPC7l2xWN2p5FHokxHgj5lsYKUcLImXyC30+G7tX3ixQV7 tMcgHzp90WzZ5Uwf9NNkg0sYvSH7ctJWROgbfPa29gclXIVe9SuIA8FnwFmPNCUBuAaj ZqhbZBZ040WkDB4Y+ZRgZBbKNu5MK05uTkrBjOEIKAsM+ddUscLK6tSHJoiH/2b/HvHj snLA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature:dkim-signature :dkim-signature; bh=gkfYfa2bSqpqubQurBedtYk/7Fl2S8Y+GKROzrM51Ig=; fh=SkoiJtJIm3GHsw7HEEaKGzefAB1Gf5t6DQ/CJrXZ9OM=; b=lXkUFuqbOeegDNJLKuBOrW1a5VXn6uEmtt7Sb/Y2dbVu9QieeX9/T9hnXRmIvqHclj 6HvG6PdBXDo5O7+zPzzadj5E5MZLucaIYxN7WvwKrXl+Id8d2OydhbvoBPgBufvJpslO NF6bEw/MgnP7TkSwD2W0N13krO0T1umD6UEpXjo5Lk6LJtYQd49j+SaKahmbQHsX91aP 6vqev+Bzjh6I22HALBuekLJv6+ZByRtpZbbjwVzwVrdgtCA5smhRyjBHY7pjZCmFkd9l K3JWygjdbyoys2sDH5iURev6dlCFe3VOXr+Ksyi8d71+o9CI3gOLgeCrp84jI3G282zS mjYw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="SYWaCTf/"; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="SYWaCTf/"; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-175934-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-175934-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-639c86b3be2si707128a12.64.2024.05.10.08.25.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 May 2024 08:25:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-175934-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="SYWaCTf/"; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="SYWaCTf/"; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-175934-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-175934-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id BEA29287A96 for ; Fri, 10 May 2024 15:15:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 72E5812C53F; Fri, 10 May 2024 15:15:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="SYWaCTf/"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ssG029tG"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="SYWaCTf/"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="ssG029tG" Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F552171653; Fri, 10 May 2024 15:15:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715354113; cv=none; b=VtlvoSH2KoNTKo66JEXozkcodCvMO9PBTc0zJkYCeK/SR6kTaNQQuUZxTThYg7hWeO/SPZsOkPy71CtoJ2gFmxi60S/X58S7B/n1fo0+4a7t5CRzAyxwQedJQ4seL8SStyfXYa6MYcKPBkRXuOav3rFVYE/wWB4W5XtYUOVHZVQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715354113; c=relaxed/simple; bh=+l80251r0ZhwdypAfFr7iG7PA4iPz9YsZVkf3xTYNbA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=DBcqco3+X4HY7hBnlvnmICkFlwv6/jqLUo10LDECP5C57rIKQlxbzXEP1nTf71pFmvioRbHpnyoXKWfK92cCjEKRfP937thgMjDOuHDc9xIYpbgMkbN6iuWTYuxxI/dgaID9NFmIzc6wlRppEkNt4miycKnxVxINWYTSlSJI/v0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=SYWaCTf/; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ssG029tG; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=SYWaCTf/; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=ssG029tG; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 1664567398; Fri, 10 May 2024 15:15:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1715354109; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gkfYfa2bSqpqubQurBedtYk/7Fl2S8Y+GKROzrM51Ig=; b=SYWaCTf/d50jctkmp4j8AYu1ygzCnz99vfAWh+792nzYE8+Y26mKg31h2M8xAb0K8Lu63C cSbNKxgJq3BPMZWSnKRmO/ScTnAouMc8FDXwl39KsoYQQWLCXt9dGmUPOF+2O4lBVDDodS yrXkDXTlOIxvtEiAlDD4s5d4b5OgSxo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1715354109; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gkfYfa2bSqpqubQurBedtYk/7Fl2S8Y+GKROzrM51Ig=; b=ssG029tGeFnfLQzjax5mMmKqSG6X1vCpV9q/jWyoYoCnZ5e0obffkT29/ZI/pazxqECgm4 Xu9WiQurQwCiqGDA== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="SYWaCTf/"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=ssG029tG DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1715354109; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gkfYfa2bSqpqubQurBedtYk/7Fl2S8Y+GKROzrM51Ig=; b=SYWaCTf/d50jctkmp4j8AYu1ygzCnz99vfAWh+792nzYE8+Y26mKg31h2M8xAb0K8Lu63C cSbNKxgJq3BPMZWSnKRmO/ScTnAouMc8FDXwl39KsoYQQWLCXt9dGmUPOF+2O4lBVDDodS yrXkDXTlOIxvtEiAlDD4s5d4b5OgSxo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1715354109; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gkfYfa2bSqpqubQurBedtYk/7Fl2S8Y+GKROzrM51Ig=; b=ssG029tGeFnfLQzjax5mMmKqSG6X1vCpV9q/jWyoYoCnZ5e0obffkT29/ZI/pazxqECgm4 Xu9WiQurQwCiqGDA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 09A90139AA; Fri, 10 May 2024 15:15:09 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id zAxUAv05PmYqKAAAD6G6ig (envelope-from ); Fri, 10 May 2024 15:15:09 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id A59B8A0983; Fri, 10 May 2024 17:15:08 +0200 (CEST) Date: Fri, 10 May 2024 17:15:08 +0200 From: Jan Kara To: Justin Stitt Cc: Alexander Viro , Christian Brauner , Jan Kara , Nathan Chancellor , Bill Wendling , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: Re: [PATCH] fs: fix unintentional arithmetic wraparound in offset calculation Message-ID: <20240510151508.hajqjxsn7rghk3dj@quack3> References: <20240509-b4-sio-read_write-v1-1-06bec2022697@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240509-b4-sio-read_write-v1-1-06bec2022697@google.com> X-Spam-Level: X-Spamd-Result: default: False [-4.01 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_COUNT_THREE(0.00)[3]; MIME_TRACE(0.00)[0:+]; FUZZY_BLOCKED(0.00)[rspamd.com]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_SEVEN(0.00)[10]; DWL_DNSWL_BLOCKED(0.00)[suse.cz:dkim]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; MISSING_XM_UA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[suse.cz:+]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.cz:dkim] X-Rspamd-Action: no action X-Rspamd-Queue-Id: 1664567398 X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Flag: NO X-Spam-Score: -4.01 On Thu 09-05-24 21:34:58, Justin Stitt wrote: > When running syzkaller with the newly reintroduced signed integer > overflow sanitizer we encounter this report: > > [ 67.991989] ------------[ cut here ]------------ > [ 67.995501] UBSAN: signed-integer-overflow in ../fs/read_write.c:91:10 > [ 68.000067] 9223372036854775807 + 4096 cannot be represented in type 'loff_t' (aka 'long long') > [ 68.006266] CPU: 4 PID: 10851 Comm: syz-executor.5 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 > [ 68.012353] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > [ 68.018983] Call Trace: > [ 68.020803] > [ 68.022540] dump_stack_lvl+0x93/0xd0 > [ 68.025222] handle_overflow+0x171/0x1b0 > [ 68.028053] generic_file_llseek_size+0x35b/0x380 > ... > > Historically, the signed integer overflow sanitizer did not work in the > kernel due to its interaction with `-fwrapv` but this has since been > changed [1] in the newest version of Clang. It was re-enabled in the > kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow > sanitizer"). > > Since @offset is later limited by @maxsize, we can proactively safeguard > against exceeding that value and also dodge some accidental overflow > (which may cause bad file access): > > loff_t vfs_setpos(struct file *file, loff_t offset, loff_t maxsize) > { > if (offset < 0 && !unsigned_offsets(file)) > return -EINVAL; > if (offset > maxsize) > return -EINVAL; > ... > > Link: https://github.com/llvm/llvm-project/pull/82432 [1] > Closes: https://github.com/KSPP/linux/issues/358 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt > --- > Here's the syzkaller reproducer: > | # {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: > | # SandboxArg:0 Leak:false NetInjection:false NetDevices:false > | # NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false > | # DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false > | # IEEE802154:false Sysctl:false Swap:false UseTmpDir:false > | # HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false > | # Fault:false FaultCall:0 FaultNth:0}} > | r0 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/address_bits', 0x0, 0x98) > | lseek(r0, 0x7fffffffffffffff, 0x2) > > ... which was used against Kees' tree here (v6.8rc2): > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=wip/v6.9-rc2/unsigned-overflow-sanitizer > > ... with this config: > https://gist.github.com/JustinStitt/824976568b0f228ccbcbe49f3dee9bf4 > --- > fs/read_write.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/read_write.c b/fs/read_write.c > index d4c036e82b6c..10c3eaa5ef55 100644 > --- a/fs/read_write.c > +++ b/fs/read_write.c > @@ -88,7 +88,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence, > { > switch (whence) { > case SEEK_END: > - offset += eof; > + offset = min_t(loff_t, offset, maxsize - eof) + eof; Well, but by this you change the behavior of seek(2) for huge offsets. Previously we'd return -EINVAL (from following vfs_setpos()), now we set position to maxsize. I don't think that is desirable? Also the addition in SEEK_CUR could overflow in the same way AFAICT so we could treat that in one patch so that the whole function is fixed at once? Honza -- Jan Kara SUSE Labs, CR