Linux-Fsdevel Archive on lore.kernel.org
 help / color / Atom feed
From: Jeff Layton <jlayton@kernel.org>
To: Luo Meng <luomeng12@huawei.com>,
	bfields@fieldses.org, viro@zeniv.linux.org.uk,
	linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock
Date: Thu, 22 Oct 2020 09:21:35 -0400
Message-ID: <3cb0aeaa4e75b5dd4c0e6bb8b04f277f7162a581.camel@kernel.org> (raw)
In-Reply-To: <20201022020341.2434316-1-luomeng12@huawei.com>

On Thu, 2020-10-22 at 10:03 +0800, Luo Meng wrote:
> When the sum of fl->fl_start and l->l_len overflows,
> UBSAN shows the following warning:
> 
> UBSAN: Undefined behaviour in fs/locks.c:482:29
> signed integer overflow: 2 + 9223372036854775806
> cannot be represented in type 'long long int'
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0xe4/0x14e lib/dump_stack.c:118
>  ubsan_epilogue+0xe/0x81 lib/ubsan.c:161
>  handle_overflow+0x193/0x1e2 lib/ubsan.c:192
>  flock64_to_posix_lock fs/locks.c:482 [inline]
>  flock_to_posix_lock+0x595/0x690 fs/locks.c:515
>  fcntl_setlk+0xf3/0xa90 fs/locks.c:2262
>  do_fcntl+0x456/0xf60 fs/fcntl.c:387
>  __do_sys_fcntl fs/fcntl.c:483 [inline]
>  __se_sys_fcntl fs/fcntl.c:468 [inline]
>  __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468
>  do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Fix it by moving -1 forward.
> 
> Signed-off-by: Luo Meng <luomeng12@huawei.com>
> ---
>  fs/locks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/locks.c b/fs/locks.c
> index 1f84a03601fe..8489787ca97e 100644
> --- a/fs/locks.c
> +++ b/fs/locks.c
> @@ -542,7 +542,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl,
>  	if (l->l_len > 0) {
>  		if (l->l_len - 1 > OFFSET_MAX - fl->fl_start)
>  			return -EOVERFLOW;
> -		fl->fl_end = fl->fl_start + l->l_len - 1;
> +		fl->fl_end = fl->fl_start - 1 + l->l_len;
>  
>  	} else if (l->l_len < 0) {
>  		if (fl->fl_start + l->l_len < 0)

Wow, ok. Interesting that the order would have such an effect here, but
it seems legit. I'll plan to merge this for v5.11. Let me know if we
need to get this in earlier.

Thanks!
-- 
Jeff Layton <jlayton@kernel.org>


  reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-22  2:03 Luo Meng
2020-10-22 13:21 ` Jeff Layton [this message]
2020-10-22 14:51   ` Matthew Wilcox
2020-10-22 17:25 ` Eric Biggers
2020-10-22 17:48   ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3cb0aeaa4e75b5dd4c0e6bb8b04f277f7162a581.camel@kernel.org \
    --to=jlayton@kernel.org \
    --cc=bfields@fieldses.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=luomeng12@huawei.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Fsdevel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \
		linux-fsdevel@vger.kernel.org
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git