From: Eric Biggers <ebiggers@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org
Subject: Bug (since v4.20): integer underflow in known_siginfo_layout() when sig=0
Date: Fri, 11 Jan 2019 16:53:06 -0800 [thread overview]
Message-ID: <20190112005305.GB77447@gmail.com> (raw)
Hi Eric,
The following commit, which went into v4.20, introduced undefined behavior when
sys_rt_sigqueueinfo() is called with sig=0:
commit 4ce5f9c9e7546915c559ffae594e6d73f918db00
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Tue Sep 25 12:59:31 2018 +0200
signal: Use a smaller struct siginfo in the kernel
In sig_specific_sicodes(), used from known_siginfo_layout(), the expression
'1ULL << ((sig)-1)' is undefined as it evaluates to 1ULL << 4294967295.
Reproducer:
#include <signal.h>
#include <sys/syscall.h>
#include <unistd.h>
int main(void)
{
siginfo_t si = { .si_code = 1 };
syscall(__NR_rt_sigqueueinfo, 0, 0, &si);
}
UBSAN report for v5.0-rc1:
UBSAN: Undefined behaviour in kernel/signal.c:2946:7
shift exponent 4294967295 is too large for 64-bit type 'long unsigned int'
CPU: 2 PID: 346 Comm: syz_signal Not tainted 5.0.0-rc1 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x70/0xa5 lib/dump_stack.c:113
ubsan_epilogue+0xd/0x40 lib/ubsan.c:159
__ubsan_handle_shift_out_of_bounds+0x12c/0x170 lib/ubsan.c:425
known_siginfo_layout+0xae/0xe0 kernel/signal.c:2946
post_copy_siginfo_from_user kernel/signal.c:3009 [inline]
__copy_siginfo_from_user+0x35/0x60 kernel/signal.c:3035
__do_sys_rt_sigqueueinfo kernel/signal.c:3553 [inline]
__se_sys_rt_sigqueueinfo kernel/signal.c:3549 [inline]
__x64_sys_rt_sigqueueinfo+0x31/0x70 kernel/signal.c:3549
do_syscall_64+0x4c/0x1b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x433639
Code: c4 18 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 27 00 00 c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffcb289fc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000081
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000433639
RDX: 00007fffcb289fd0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006b2018 R08: 000000000000004d R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401560
R13: 00000000004015f0 R14: 0000000000000000 R15: 0000000000000000
next reply other threads:[~2019-01-12 0:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-12 0:53 Eric Biggers [this message]
2019-01-12 17:43 ` Bug (since v4.20): integer underflow in known_siginfo_layout() when sig=0 Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190112005305.GB77447@gmail.com \
--to=ebiggers@kernel.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.