Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Chen Feng <puck.chen@hisilicon.com>
Cc: zhaoyukun@huawei.com, tytso@mit.edu, arnd@arndb.de,
	linux-kernel@vger.kernel.org, suzhuangluan@hisilicon.com,
	dan.zhao@hisilicon.com
Subject: Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow
Date: Tue, 24 Oct 2017 11:57:14 +0200	[thread overview]
Message-ID: <20171024095714.GD29581@kroah.com> (raw)
In-Reply-To: <59EF06B1.8020108@hisilicon.com>

On Tue, Oct 24, 2017 at 05:24:01PM +0800, Chen Feng wrote:
> 
> 
> On 2017/10/24 17:09, Greg KH wrote:
> > On Tue, Oct 24, 2017 at 03:44:17PM +0800, Chen Feng wrote:
> >> [pid:11940,cpu6,syz-executor][flp_ioctl]cmd[0x1]
> >> Restart is not permit
> >> =================================================================
> >> UBSAN: Undefined behaviour in
> >> kernel/linux-4.4/drivers/char/random.c:676:19
> >> signed integer overflow:
> >> 2147483645 + 268435455 cannot be represented in type 'int'
> >> CPU: 4 PID: 11941 Comm: syz-executor Not tainted 4.4.76+ #2
> > 
> > Does this also happen on 4.14-rc6?
> 
> No, mainline also has this issue.
> > 
> >> TGID: 11928 Comm: syz-executor
> >> Hardware name: hi3660 (DT)
> >> Call trace:
> >> [<ffffffa661090378>] dump_backtrace+0x0/0x314
> >> [<ffffffa66109077c>] show_stack+0x1c/0x24
> >> [<ffffffa66180cc54>] dump_stack+0xdc/0x130
> >> [<ffffffa6618833d0>] ubsan_epilogue+0x18/0x6c
> >> [<ffffffa661883c5c>] handle_overflow+0x180/0x1d4
> >> [<ffffffa661883cdc>] __ubsan_handle_add_overflow+0x2c/0x34
> >> [<ffffffa661ab75a0>] credit_entropy_bits+0x358/0x9a8
> >> [<ffffffa661ab85bc>] random_ioctl+0x338/0x384
> >> [<ffffffa661399c74>] do_vfs_ioctl+0x60c/0xa4c
> >> [<ffffffa66139a150>] SyS_ioctl+0x9c/0xc0
> >> [<ffffffa6610838b0>] el0_svc_naked+0x24/0x28
> >> =================================================================
> >>
> >> Signed-off-by: Chen Feng <puck.chen@hisilicon.com>
> >> Signed-off-by: Yukun Zhao <zhaoyukun@huawei.com>
> >> ---
> >>  drivers/char/random.c | 5 +++++
> >>  1 file changed, 5 insertions(+)
> >>
> >> diff --git a/drivers/char/random.c b/drivers/char/random.c
> >> index 1ef2640..6f2bd6a 100644
> >> --- a/drivers/char/random.c
> >> +++ b/drivers/char/random.c
> >> @@ -699,6 +699,11 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits)
> >>  	if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
> >>  		goto retry;
> >>  
> >> +	if (INT_MAX - nbits < r->entropy_total) {
> >> +		WARN_ON(1);
> > 
> > Why WARN_ON()?  What is that going to help with?
> Actually, I am not familiar with the random module....
> 
> This patch is RFC to see if some one has better idea.

Well, not spamming the kernel log for something that userspace can
trigger is a good start to modifying your patch :)

thanks,

greg k-h

next prev parent reply	other threads:[~2017-10-24  9:57 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-24  7:44 [PATCH RFC] random: fix syzkaller fuzzer test int overflow Chen Feng
2017-10-24  9:09 ` Greg KH
2017-10-24  9:24   ` Chen Feng
2017-10-24  9:57     ` Greg KH [this message]
2017-10-24 10:25   ` Theodore Ts'o
2017-10-25  6:30     ` Chen Feng
2017-10-25  6:56       ` Greg KH
2017-10-25  7:08         ` Chen Feng
2017-10-25  8:49           ` Theodore Ts'o
2017-10-26  8:25             ` Chen Feng
2017-10-26 15:04               ` Theodore Ts'o
2017-10-28  3:22                 ` Chen Feng
2017-10-29 18:25                   ` Theodore Ts'o
2017-10-30  7:39                     ` Greg KH
2017-10-30  9:11                       ` Theodore Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171024095714.GD29581@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=arnd@arndb.de \
    --cc=dan.zhao@hisilicon.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=puck.chen@hisilicon.com \
    --cc=suzhuangluan@hisilicon.com \
    --cc=tytso@mit.edu \
    --cc=zhaoyukun@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.