From: Denis Efremov <efremov@linux.com>
To: Kyungtae Kim <kt0755@gmail.com>
Cc: axboe@kernel.dk, jikos@kernel.org,
Byoungyoung Lee <lifeasageek@gmail.com>,
DaeRyong Jeong <threeearcat@gmail.com>,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com
Subject: Re: UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32
Date: Fri, 9 Aug 2019 16:40:18 +0300 [thread overview]
Message-ID: <b71cf216-0881-5c69-abb8-c689536d1835@linux.com> (raw)
In-Reply-To: <CAEAjamtML1yMLL0DsV5JkD1H6P0Yg19F2DVq+_c-u09RaCKuDw@mail.gmail.com>
Hi!
Sorry for the late response. But I think I could add some useful info,
because I also analyzed this report from syzkaller.
I don't think that we could fix this UBSAN warning with this patch. If you look
at the lines right before your check you will find another check of cmd_count
with clarifying comment:
if (ptr->cmd_count > 33)
/* the command may now also take up the space
* initially intended for the reply & the
* reply count. Needed for long 82078 commands
* such as RESTORE, which takes ... 17 command
* bytes. Murphy's law #137: When you reserve
* 16 bytes for a structure, you'll one day
* discover that you really need 17...
*/
return -EINVAL;
for (i = 0; i < 16; i++)
ptr->reply[i] = 0;
ptr->resultcode = 0;
And a little bit more details about (from include/uapi/linux/fd.h):
struct floppy_raw_cmd {
...
unsigned char cmd_count;
unsigned char cmd[16];
unsigned char reply_count;
unsigned char reply[16];
...
}
So, cmd[16] + reply_count[1] + reply[16] == 33.
Thus, this behavior is intentional, we could not fix it this way and it's already
a part of UAPI.
But thank you for analyzing the report!
Denis
On 23.10.2018 02:20, Kyungtae Kim wrote:
> We report a bug found in v4.19-rc2 (v4.19-rc8 as well):
> UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32
>
> kernel config: https://kt0755.github.io/etc/config_v2-4.19
> repro: https://kt0755.github.io/etc/repro.b4076.c
>
> Analysis:
>
> struct floppy_raw_cmd {
> unsigned char cmd_count;
> unsigned char cmd[16];
> ...
> };
>
> for (i=0; i<raw_cmd->cmd_count; i++)
> output_byte(raw_cmd->cmd[i])
>
> In driver/block/floppy.c:1495, the code snippet above is trying to
> write some bytes to the floppy disk controller, depending on "cmd_count".
> As you see "struct floppy_raw_cmd" above, the size of array “cmd” is
> fixed as 16.
> The thing is, there is no boundary check for the index of array "cmd"
> when this is used. Besides, "cmd_count" can be manipulated by raw_cmd_ioctl
> which is derived from ioctl system call.
> We observed that cmd_count is set at line 2540 (or 2111), but that is
> after such a bug arose in our experiment. So by manipulating system call
> ioctl,
> user program can have illegitimate memory access.
>
> The following is a simple patch to stop this. (This might not be the
> best.)
>
> diff --git a/linux-4.19-rc2/drivers/block/floppy.c
> b/linux-4.19-rc2/drivers/block/floppy.c
> index f2b6f4d..a3610c9 100644
> --- a/linux-4.19-rc2/drivers/block/floppy.c
> +++ b/linux-4.19-rc2/drivers/block/floppy.c
> @@ -3149,6 +3149,8 @@ static int raw_cmd_copyin(int cmd, void __user *param,
> */
> return -EINVAL;
>
> + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd)) {
> + return -EINVAL;
> +
> for (i = 0; i < 16; i++)
> ptr->reply[i] = 0;
> ptr->resultcode = 0;
>
>
> Crash log
> ==================================================================
> UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32
> index 16 is out of range for type 'unsigned char [16]'
> CPU: 0 PID: 2420 Comm: kworker/u4:3 Not tainted 4.19.0-rc2 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: floppy fd_timer_workfn
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xd2/0x148 lib/dump_stack.c:113
> ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
> __ubsan_handle_out_of_bounds+0x174/0x1b8 lib/ubsan.c:386
> setup_rw_floppy+0xbd9/0xe60 drivers/block/floppy.c:1495
> seek_floppy drivers/block/floppy.c:1605 [inline]
> floppy_ready+0x61a/0x2230 drivers/block/floppy.c:1917
> fd_timer_workfn+0x1a/0x20 drivers/block/floppy.c:994
> process_one_work+0xa0c/0x1820 kernel/workqueue.c:2153
> worker_thread+0x8f/0xd20 kernel/workqueue.c:2296
> kthread+0x3a3/0x470 kernel/kthread.c:246
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
> ==================================================================
>
prev parent reply other threads:[~2019-08-09 13:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-22 23:20 UBSAN: Undefined behaviour in drivers/block/floppy.c:1495:32 Kyungtae Kim
2018-10-23 10:01 ` Jens Axboe
2018-10-24 6:29 ` Kyungtae Kim
2018-10-24 6:29 ` Kyungtae Kim
2018-10-24 6:33 ` Kyungtae Kim
2018-10-24 6:33 ` Kyungtae Kim
2018-10-24 9:27 ` Jens Axboe
2018-10-26 13:22 ` Kyungtae Kim
2018-10-26 14:20 ` Jens Axboe
2019-08-09 13:40 ` Denis Efremov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b71cf216-0881-5c69-abb8-c689536d1835@linux.com \
--to=efremov@linux.com \
--cc=axboe@kernel.dk \
--cc=jikos@kernel.org \
--cc=kt0755@gmail.com \
--cc=lifeasageek@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=threeearcat@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.