[PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
@ 2020-10-22  2:03 Luo Meng
  2020-10-22 13:21 ` Jeff Layton
  2020-10-22 17:25 ` Eric Biggers
  0 siblings, 2 replies; 5+ messages in thread
From: Luo Meng @ 2020-10-22  2:03 UTC (permalink / raw)
  To: jlayton, bfields, viro, linux-fsdevel, luomeng12

When the sum of fl->fl_start and l->l_len overflows,
UBSAN shows the following warning:

UBSAN: Undefined behaviour in fs/locks.c:482:29
signed integer overflow: 2 + 9223372036854775806
cannot be represented in type 'long long int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xe4/0x14e lib/dump_stack.c:118
 ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
 handle_overflow+0x193/0x1e2 lib/ubsan.c:192
 flock64_to_posix_lock fs/locks.c:482 [inline]
 flock_to_posix_lock+0x595/0x690 fs/locks.c:515
 fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
 do_fcntl+0x456/0xf60 fs/fcntl.c:387
 __do_sys_fcntl fs/fcntl.c:483 [inline]
 __se_sys_fcntl fs/fcntl.c:468 [inline]
 __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
 do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fix it by moving -1 forward.

Signed-off-by: Luo Meng <luomeng12@huawei.com>
---
 fs/locks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/locks.c b/fs/locks.c
index 1f84a03601fe..8489787ca97e 100644
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
 	if (l->l_len > 0) {
 		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
 			return -EOVERFLOW;
-		fl->fl_end = fl->fl_start + l->l_len - 1;
+		fl->fl_end = fl->fl_start - 1 + l->l_len;
 
 	} else if (l->l_len < 0) {
 		if (fl->fl_start + l->l_len < 0)
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
  2020-10-22  2:03 [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock Luo Meng
@ 2020-10-22 13:21 ` Jeff Layton
  2020-10-22 14:51   ` Matthew Wilcox
  2020-10-22 17:25 ` Eric Biggers
  1 sibling, 1 reply; 5+ messages in thread
From: Jeff Layton @ 2020-10-22 13:21 UTC (permalink / raw)
  To: Luo Meng, bfields, viro, linux-fsdevel

On Thu, 2020-10-22 at 10:03 +0800, Luo Meng wrote:
> When the sum of fl->fl_start and l->l_len overflows,
> UBSAN shows the following warning:
> 
> UBSAN: Undefined behaviour in fs/locks.c:482:29
> signed integer overflow: 2 + 9223372036854775806
> cannot be represented in type 'long long int'
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0xe4/0x14e lib/dump_stack.c:118
>  ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
>  handle_overflow+0x193/0x1e2 lib/ubsan.c:192
>  flock64_to_posix_lock fs/locks.c:482 [inline]
>  flock_to_posix_lock+0x595/0x690 fs/locks.c:515
>  fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
>  do_fcntl+0x456/0xf60 fs/fcntl.c:387
>  __do_sys_fcntl fs/fcntl.c:483 [inline]
>  __se_sys_fcntl fs/fcntl.c:468 [inline]
>  __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
>  do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Fix it by moving -1 forward.
> 
> Signed-off-by: Luo Meng <luomeng12@huawei.com>
> ---
>  fs/locks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/locks.c b/fs/locks.c
> index 1f84a03601fe..8489787ca97e 100644
> --- a/fs/locks.c
> +++ b/fs/locks.c
> @@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
>  	if (l->l_len > 0) {
>  		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
>  			return -EOVERFLOW;
> -		fl->fl_end = fl->fl_start + l->l_len - 1;
> +		fl->fl_end = fl->fl_start - 1 + l->l_len;
>  
>  	} else if (l->l_len < 0) {
>  		if (fl->fl_start + l->l_len < 0)

Wow, ok. Interesting that the order would have such an effect here, but
it seems legit. I'll plan to merge this for v5.11. Let me know if we
need to get this in earlier.

Thanks!
-- 
Jeff Layton <jlayton@kernel.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
  2020-10-22 13:21 ` Jeff Layton
@ 2020-10-22 14:51   ` Matthew Wilcox
  0 siblings, 0 replies; 5+ messages in thread
From: Matthew Wilcox @ 2020-10-22 14:51 UTC (permalink / raw)
  To: Jeff Layton; +Cc: Luo Meng, bfields, viro, linux-fsdevel

On Thu, Oct 22, 2020 at 09:21:35AM -0400, Jeff Layton wrote:
> On Thu, 2020-10-22 at 10:03 +0800, Luo Meng wrote:
> > When the sum of fl->fl_start and l->l_len overflows,
> > UBSAN shows the following warning:
> > 
> > UBSAN: Undefined behaviour in fs/locks.c:482:29
> > signed integer overflow: 2 + 9223372036854775806
> > cannot be represented in type 'long long int'
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0xe4/0x14e lib/dump_stack.c:118
> >  ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
> >  handle_overflow+0x193/0x1e2 lib/ubsan.c:192
> >  flock64_to_posix_lock fs/locks.c:482 [inline]
> >  flock_to_posix_lock+0x595/0x690 fs/locks.c:515
> >  fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
> >  do_fcntl+0x456/0xf60 fs/fcntl.c:387
> >  __do_sys_fcntl fs/fcntl.c:483 [inline]
> >  __se_sys_fcntl fs/fcntl.c:468 [inline]
> >  __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
> >  do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > Fix it by moving -1 forward.
> > 
> > Signed-off-by: Luo Meng <luomeng12@huawei.com>
> > ---
> >  fs/locks.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/fs/locks.c b/fs/locks.c
> > index 1f84a03601fe..8489787ca97e 100644
> > --- a/fs/locks.c
> > +++ b/fs/locks.c
> > @@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
> >  	if (l->l_len > 0) {
> >  		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
> >  			return -EOVERFLOW;
> > -		fl->fl_end = fl->fl_start + l->l_len - 1;
> > +		fl->fl_end = fl->fl_start - 1 + l->l_len;
> >  
> >  	} else if (l->l_len < 0) {
> >  		if (fl->fl_start + l->l_len < 0)
> 
> Wow, ok. Interesting that the order would have such an effect here, but
> it seems legit. I'll plan to merge this for v5.11. Let me know if we
> need to get this in earlier.

It's the kind of pedantic correctness thing that should be merged because
C doesn't exactly define the behaviour.  eg a sign-magnitude machine
will behave differently from a twos-complement machine.  The fact that
nobody's made a sign-magnitude integer arithmetic machine in the last
60 years does not matter to the C spec.

It's a shame there's no uoff_t since it would be defined.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
  2020-10-22  2:03 [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock Luo Meng
  2020-10-22 13:21 ` Jeff Layton
@ 2020-10-22 17:25 ` Eric Biggers
  2020-10-22 17:48   ` Jeff Layton
  1 sibling, 1 reply; 5+ messages in thread
From: Eric Biggers @ 2020-10-22 17:25 UTC (permalink / raw)
  To: Luo Meng; +Cc: jlayton, bfields, viro, linux-fsdevel

On Thu, Oct 22, 2020 at 10:03:41AM +0800, Luo Meng wrote:
> When the sum of fl->fl_start and l->l_len overflows,
> UBSAN shows the following warning:
> 
> UBSAN: Undefined behaviour in fs/locks.c:482:29
> signed integer overflow: 2 + 9223372036854775806
> cannot be represented in type 'long long int'
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0xe4/0x14e lib/dump_stack.c:118
>  ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
>  handle_overflow+0x193/0x1e2 lib/ubsan.c:192
>  flock64_to_posix_lock fs/locks.c:482 [inline]
>  flock_to_posix_lock+0x595/0x690 fs/locks.c:515
>  fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
>  do_fcntl+0x456/0xf60 fs/fcntl.c:387
>  __do_sys_fcntl fs/fcntl.c:483 [inline]
>  __se_sys_fcntl fs/fcntl.c:468 [inline]
>  __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
>  do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Fix it by moving -1 forward.
> 
> Signed-off-by: Luo Meng <luomeng12@huawei.com>
> ---
>  fs/locks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/locks.c b/fs/locks.c
> index 1f84a03601fe..8489787ca97e 100644
> --- a/fs/locks.c
> +++ b/fs/locks.c
> @@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
>  	if (l->l_len > 0) {
>  		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
>  			return -EOVERFLOW;
> -		fl->fl_end = fl->fl_start + l->l_len - 1;
> +		fl->fl_end = fl->fl_start - 1 + l->l_len;
>  

Given what the bounds check just above does, wouldn't it make more sense to
parenthesize 'l->l_len - 1' instead?  So:

		fl->fl_end = fl->fl_start + (l->l_len - 1);

Also FWIW, the Linux kernel uses the -fwrapv compiler flag, so signed integer
overflow is defined.  IMO it's still best avoided though...

- Eric

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
  2020-10-22 17:25 ` Eric Biggers
@ 2020-10-22 17:48   ` Jeff Layton
  0 siblings, 0 replies; 5+ messages in thread
From: Jeff Layton @ 2020-10-22 17:48 UTC (permalink / raw)
  To: Eric Biggers, Luo Meng; +Cc: bfields, viro, linux-fsdevel

On Thu, 2020-10-22 at 10:25 -0700, Eric Biggers wrote:
> On Thu, Oct 22, 2020 at 10:03:41AM +0800, Luo Meng wrote:
> > When the sum of fl->fl_start and l->l_len overflows,
> > UBSAN shows the following warning:
> > 
> > UBSAN: Undefined behaviour in fs/locks.c:482:29
> > signed integer overflow: 2 + 9223372036854775806
> > cannot be represented in type 'long long int'
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0xe4/0x14e lib/dump_stack.c:118
> >  ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
> >  handle_overflow+0x193/0x1e2 lib/ubsan.c:192
> >  flock64_to_posix_lock fs/locks.c:482 [inline]
> >  flock_to_posix_lock+0x595/0x690 fs/locks.c:515
> >  fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
> >  do_fcntl+0x456/0xf60 fs/fcntl.c:387
> >  __do_sys_fcntl fs/fcntl.c:483 [inline]
> >  __se_sys_fcntl fs/fcntl.c:468 [inline]
> >  __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
> >  do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > Fix it by moving -1 forward.
> > 
> > Signed-off-by: Luo Meng <luomeng12@huawei.com>
> > ---
> >  fs/locks.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/fs/locks.c b/fs/locks.c
> > index 1f84a03601fe..8489787ca97e 100644
> > --- a/fs/locks.c
> > +++ b/fs/locks.c
> > @@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
> >  	if (l->l_len > 0) {
> >  		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
> >  			return -EOVERFLOW;
> > -		fl->fl_end = fl->fl_start + l->l_len - 1;
> > +		fl->fl_end = fl->fl_start - 1 + l->l_len;
> >  
> 
> Given what the bounds check just above does, wouldn't it make more sense to
> parenthesize 'l->l_len - 1' instead?  So:
> 
> 		fl->fl_end = fl->fl_start + (l->l_len - 1);
> 
> Also FWIW, the Linux kernel uses the -fwrapv compiler flag, so signed integer
> overflow is defined.  IMO it's still best avoided though...
> 

That does seem less ambiguous.

Luo, if you're OK with that approach, I can just fix it up in-tree.
-- 
Jeff Layton <jlayton@kernel.org>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-10-22 17:49 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-22  2:03 [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock Luo Meng
2020-10-22 13:21 ` Jeff Layton
2020-10-22 14:51   ` Matthew Wilcox
2020-10-22 17:25 ` Eric Biggers
2020-10-22 17:48   ` Jeff Layton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).