From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753385AbdFMNDb (ORCPT ); Tue, 13 Jun 2017 09:03:31 -0400 Received: from szxga03-in.huawei.com ([45.249.212.189]:7413 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752078AbdFMNDa (ORCPT ); Tue, 13 Jun 2017 09:03:30 -0400 Message-ID: <593FE23D.3050502@huawei.com> Date: Tue, 13 Jun 2017 21:01:49 +0800 From: zhong jiang User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Jeff Layton CC: Jiri Slaby , , "J. Bruce Fields" , Alexander Viro , Subject: Re: [PATCH v3 2/2] fs/fcntl: f_setown, avoid undefined behaviour References: <20170613113551.15098-1-jslaby@suse.cz> <20170613113551.15098-2-jslaby@suse.cz> <1497356037.5762.17.camel@redhat.com> In-Reply-To: <1497356037.5762.17.camel@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.29.68] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.593FE255.023D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 81fef401cbc0bc4df5c7434f873a8b9a Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017/6/13 20:13, Jeff Layton wrote: > On Tue, 2017-06-13 at 13:35 +0200, Jiri Slaby wrote: >> fcntl(0, F_SETOWN, 0x80000000) triggers: >> UBSAN: Undefined behaviour in fs/fcntl.c:118:7 >> negation of -2147483648 cannot be represented in type 'int': >> CPU: 1 PID: 18261 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1 >> ... >> Call Trace: >> ... >> [] ? f_setown+0x1d8/0x200 >> [] ? SyS_fcntl+0x999/0xf30 >> [] ? entry_SYSCALL_64_fastpath+0x23/0xc1 >> >> Fix that by checking the arg parameter properly (against INT_MAX) before >> "who = -who". And return immediatelly with -EINVAL in case it is wrong. >> Note that according to POSIX we can return EINVAL: >> http://pubs.opengroup.org/onlinepubs/9699919799/functions/fcntl.html >> >> [EINVAL] >> The cmd argument is F_SETOWN and the value of the argument >> is not valid as a process or process group identifier. >> >> [v2] returns an error, v1 used to fail silently >> [v3] implement proper check for the bad value INT_MIN >> >> Signed-off-by: Jiri Slaby >> Cc: Jeff Layton >> Cc: "J. Bruce Fields" >> Cc: Alexander Viro >> Cc: linux-fsdevel@vger.kernel.org >> --- >> fs/fcntl.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/fs/fcntl.c b/fs/fcntl.c >> index 313eba860346..693322e28751 100644 >> --- a/fs/fcntl.c >> +++ b/fs/fcntl.c >> @@ -116,6 +116,10 @@ int f_setown(struct file *filp, unsigned long arg, int force) >> int who = arg; >> type = PIDTYPE_PID; >> if (who < 0) { >> + /* avoid overflow below */ >> + if (who == INT_MIN) >> + return -EINVAL; >> + >> type = PIDTYPE_PGID; >> who = -who; >> } > Seems reasonable. > > I do somewhat lean toward checking for all larger values, but there > could be userland programs that leave the upper bits set when they cast > this to unsigned long. This is probably the safer thing to do. > > I'll plan to pick these up for v4.12. > > On the other related note...I think we ought to return ESRCH when > find_vpid returns NULL. I'll take a look at that sometime soon too. > > Thanks! hi, jeff I have sent the patch about find_vpid ,and exist in linux-next branch https://patchwork.kernel.org/patch/9766259/ Thanks zhongjiang