From: Andrew Morton <akpm@linux-foundation.org>
To: icytxw@gmail.com
Cc: bugzilla-daemon@bugzilla.kernel.org, linux-mm@kvack.org,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 27 Jun 2018 20:48:08 -0700 [thread overview]
Message-ID: <20180627204808.99988d94180dd144b14aa38b@linux-foundation.org> (raw)
In-Reply-To: <bug-200209-27@https.bugzilla.kernel.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Fri, 22 Jun 2018 23:37:27 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=200209
>
> Bug ID: 200209
> Summary: UBSAN: Undefined behaviour in mm/fadvise.c:LINE
> Product: Memory Management
> Version: 2.5
> Kernel Version: v4.18-rc2
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Page Allocator
> Assignee: akpm@linux-foundation.org
> Reporter: icytxw@gmail.com
> Regression: No
>
> Hi,
> This bug was found in Linux Kernel v4.18-rc2
>
> $ cat report0
> ================================================================================
> UBSAN: Undefined behaviour in mm/fadvise.c:76:10
> signed integer overflow:
> 4 + 9223372036854775805 cannot be represented in type 'long long int'
> CPU: 0 PID: 13477 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x122/0x1c8 lib/dump_stack.c:113
> ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
> handle_overflow+0x1c2/0x21f lib/ubsan.c:190
> __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
> ksys_fadvise64_64+0xbf0/0xd10 mm/fadvise.c:76
> __do_sys_fadvise64 mm/fadvise.c:198 [inline]
> __se_sys_fadvise64 mm/fadvise.c:196 [inline]
> __x64_sys_fadvise64+0xa9/0x120 mm/fadvise.c:196
> do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
That overflow is deliberate:
endbyte = offset + len;
if (!len || endbyte < len)
endbyte = -1;
else
endbyte--; /* inclusive */
Or is there a hole in this logic?
If not, I guess ee can do this another way to keep the checker happy.
next parent reply other threads:[~2018-06-28 3:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-200209-27@https.bugzilla.kernel.org/>
2018-06-28 3:48 ` Andrew Morton [this message]
2018-06-29 18:44 ` Andrey Ryabinin
2018-06-29 18:44 ` [PATCH] mm/fadvise: Fix signed overflow UBSAN complaint Andrey Ryabinin
2018-06-30 1:37 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180627204808.99988d94180dd144b14aa38b@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=icytxw@gmail.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.