2021-08-12 01:12:32

by Steve French

[permalink] [raw]
Subject: signed integer overflow bug in truncate_pagecache

Running a debug build of the kernel while running regression tests for
cifs.ko on 5.11, I noticed this message logged which looks like it is
still a probably valid bug in truncate_pagecache in mm/truncate.c in
current kernel as well

loff_t holebegin = round_up(newsize, PAGE_SIZE);

This was what was in dmesg:

[23907.325526] UBSAN: signed-integer-overflow in mm/truncate.c:833:9
[23907.325532] 9223372036854775807 + 1 cannot be represented in type
'long long int'
[23907.325536] CPU: 2 PID: 13007 Comm: xfs_io Not tainted 5.11.22 #1
[23907.325540] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[23907.325543] Call Trace:
[23907.325548] dump_stack+0x8d/0xb5
[23907.325560] ubsan_epilogue+0x5/0x50
[23907.325568] handle_overflow+0xa3/0xb0
[23907.325581] truncate_pagecache+0x8a/0x90
[23907.325587] cifs_set_file_size+0xdb/0x2c0 [cifs]
[23907.325749] cifs_setattr+0xc93/0x1260 [cifs]
[23907.325799] notify_change+0x35b/0x4a0
[23907.325811] ? do_truncate+0x5e/0x90
[23907.325817] do_truncate+0x5e/0x90
[23907.325828] do_sys_ftruncate+0x143/0x280
[23907.325837] do_syscall_64+0x33/0x40
[23907.325842] entry_SYSCALL_64_after_hwframe+0x44/0xa9

--
Thanks,

Steve