From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932516AbdJXJ5M (ORCPT ); Tue, 24 Oct 2017 05:57:12 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:57706 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932267AbdJXJ5I (ORCPT ); Tue, 24 Oct 2017 05:57:08 -0400 Date: Tue, 24 Oct 2017 11:57:14 +0200 From: Greg KH To: Chen Feng Cc: zhaoyukun@huawei.com, tytso@mit.edu, arnd@arndb.de, linux-kernel@vger.kernel.org, suzhuangluan@hisilicon.com, dan.zhao@hisilicon.com Subject: Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow Message-ID: <20171024095714.GD29581@kroah.com> References: <1508831057-64195-1-git-send-email-puck.chen@hisilicon.com> <20171024090927.GA20625@kroah.com> <59EF06B1.8020108@hisilicon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <59EF06B1.8020108@hisilicon.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 24, 2017 at 05:24:01PM +0800, Chen Feng wrote: > > > On 2017/10/24 17:09, Greg KH wrote: > > On Tue, Oct 24, 2017 at 03:44:17PM +0800, Chen Feng wrote: > >> [pid:11940,cpu6,syz-executor][flp_ioctl]cmd[0x1] > >> Restart is not permit > >> ================================================================= > >> UBSAN: Undefined behaviour in > >> kernel/linux-4.4/drivers/char/random.c:676:19 > >> signed integer overflow: > >> 2147483645 + 268435455 cannot be represented in type 'int' > >> CPU: 4 PID: 11941 Comm: syz-executor Not tainted 4.4.76+ #2 > > > > Does this also happen on 4.14-rc6? > > No, mainline also has this issue. > > > >> TGID: 11928 Comm: syz-executor > >> Hardware name: hi3660 (DT) > >> Call trace: > >> [] dump_backtrace+0x0/0x314 > >> [] show_stack+0x1c/0x24 > >> [] dump_stack+0xdc/0x130 > >> [] ubsan_epilogue+0x18/0x6c > >> [] handle_overflow+0x180/0x1d4 > >> [] __ubsan_handle_add_overflow+0x2c/0x34 > >> [] credit_entropy_bits+0x358/0x9a8 > >> [] random_ioctl+0x338/0x384 > >> [] do_vfs_ioctl+0x60c/0xa4c > >> [] SyS_ioctl+0x9c/0xc0 > >> [] el0_svc_naked+0x24/0x28 > >> ================================================================= > >> > >> Signed-off-by: Chen Feng > >> Signed-off-by: Yukun Zhao > >> --- > >> drivers/char/random.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > >> > >> diff --git a/drivers/char/random.c b/drivers/char/random.c > >> index 1ef2640..6f2bd6a 100644 > >> --- a/drivers/char/random.c > >> +++ b/drivers/char/random.c > >> @@ -699,6 +699,11 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits) > >> if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) > >> goto retry; > >> > >> + if (INT_MAX - nbits < r->entropy_total) { > >> + WARN_ON(1); > > > > Why WARN_ON()? What is that going to help with? > Actually, I am not familiar with the random module.... > > This patch is RFC to see if some one has better idea. Well, not spamming the kernel log for something that userspace can trigger is a good start to modifying your patch :) thanks, greg k-h