diff mbox series

scsi: sr: fix unintentional arithmetic wraparound

Message ID 20240508-b4-b4-sio-sr_select_speed-v1-1-968906b908b7@google.com (mailing list archive)
State Superseded
Headers show
Series scsi: sr: fix unintentional arithmetic wraparound | expand

Commit Message

Justin Stitt May 8, 2024, 12:02 a.m. UTC
Running syzkaller with the newly reintroduced signed integer overflow
sanitizer produces this report:

[   65.194362] ------------[ cut here ]------------
[   65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9
[   65.203607] -2147483648 * 177 cannot be represented in type 'int'
[   65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   65.219923] Call Trace:
[   65.221556]  <TASK>
[   65.223029]  dump_stack_lvl+0x93/0xd0
[   65.225573]  handle_overflow+0x171/0x1b0
[   65.228219]  sr_select_speed+0xeb/0xf0
[   65.230786]  ? __pm_runtime_resume+0xe6/0x130
[   65.233606]  sr_block_ioctl+0x15d/0x1d0
...

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's add an extra check to make sure we don't exceed 0xffff/177 (350)
since 0xffff is the max speed. This has two benefits: 1) we deal with
integer overflow before it happens and 2) we properly respect the max
speed of 0xffff. There are some "magic" numbers here but I did not want
to change more than what was necessary.

Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/357
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com>
---
Here's the syzkaller reproducer:
r0 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000140), 0x800, 0x0)
ioctl$CDROM_SELECT_SPEED(r0, 0x5322, 0x7ee9f7c1)

... which was used against Kees' tree here (v6.8rc2):
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=wip/v6.9-rc2/unsigned-overflow-sanitizer

... with this config:
https://gist.github.com/JustinStitt/824976568b0f228ccbcbe49f3dee9bf4
---
 drivers/scsi/sr_ioctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


---
base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc
change-id: 20240507-b4-b4-sio-sr_select_speed-e68c0d426891

Best regards,
--
Justin Stitt <justinstitt@google.com>

Comments

Kees Cook May 8, 2024, 12:23 a.m. UTC | #1
On Wed, May 08, 2024 at 12:02:27AM +0000, Justin Stitt wrote:
> Running syzkaller with the newly reintroduced signed integer overflow
> sanitizer produces this report:
> 
> [   65.194362] ------------[ cut here ]------------
> [   65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9
> [   65.203607] -2147483648 * 177 cannot be represented in type 'int'
> [   65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
> [   65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [   65.219923] Call Trace:
> [   65.221556]  <TASK>
> [   65.223029]  dump_stack_lvl+0x93/0xd0
> [   65.225573]  handle_overflow+0x171/0x1b0
> [   65.228219]  sr_select_speed+0xeb/0xf0
> [   65.230786]  ? __pm_runtime_resume+0xe6/0x130
> [   65.233606]  sr_block_ioctl+0x15d/0x1d0
> ...
> 
> Historically, the signed integer overflow sanitizer did not work in the
> kernel due to its interaction with `-fwrapv` but this has since been
> changed [1] in the newest version of Clang. It was re-enabled in the
> kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
> sanitizer").
> 
> Let's add an extra check to make sure we don't exceed 0xffff/177 (350)
> since 0xffff is the max speed. This has two benefits: 1) we deal with
> integer overflow before it happens and 2) we properly respect the max
> speed of 0xffff. There are some "magic" numbers here but I did not want
> to change more than what was necessary.
> 
> Link: https://github.com/llvm/llvm-project/pull/82432 [1]
> Closes: https://github.com/KSPP/linux/issues/357
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@google.com>
> ---
> Here's the syzkaller reproducer:
> r0 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000140), 0x800, 0x0)
> ioctl$CDROM_SELECT_SPEED(r0, 0x5322, 0x7ee9f7c1)
> 
> ... which was used against Kees' tree here (v6.8rc2):
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=wip/v6.9-rc2/unsigned-overflow-sanitizer
> 
> ... with this config:
> https://gist.github.com/JustinStitt/824976568b0f228ccbcbe49f3dee9bf4
> ---
>  drivers/scsi/sr_ioctl.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
> index 5b0b35e60e61..2d78bcf68eb3 100644
> --- a/drivers/scsi/sr_ioctl.c
> +++ b/drivers/scsi/sr_ioctl.c
> @@ -430,7 +430,8 @@ int sr_select_speed(struct cdrom_device_info *cdi, int speed)
>  	Scsi_CD *cd = cdi->handle;
>  	struct packet_command cgc;
>  
> -	if (speed == 0)
> +	/* avoid exceeding the max speed or overflowing integer bounds */
> +	if (speed == 0 || speed > 0xffff / 177)
>  		speed = 0xffff;	/* set to max */
>  	else
>  		speed *= 177;	/* Nx to kbyte/s */

I didn't see a "speed < 0" check, so I went to check the type on "speed"
and found it to be "int". So I'd expect such a check, but then I looked at
the interface: I think it's wrong that "speed" is an int at all. There's
only 1 caller, and 1 implementation of "select_speed":

$ git grep '\.select_speed'
drivers/scsi/sr.c:      .select_speed           = sr_select_speed,

static int cdrom_ioctl_select_speed(struct cdrom_device_info *cdi,
                unsigned long arg)
{
	...
        return cdi->ops->select_speed(cdi, arg);
}

And the arg there is unsigned long (?!).

So I think probably the prototype should be changed to unsigned long,
and then it can clamp the "speed" argument:

+	/* avoid exceeding the max speed or overflowing integer bounds */
+	speed = clamp(0, speed, 0xffff / 177);
 	if (speed == 0)
  		speed = 0xffff;	/* set to max */
  	else
  		speed *= 177;	/* Nx to kbyte/s */

Then the "negative" values go away are then correctly treated as
"too big" in the clamping.

-Kees
diff mbox series

Patch

diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 5b0b35e60e61..2d78bcf68eb3 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -430,7 +430,8 @@  int sr_select_speed(struct cdrom_device_info *cdi, int speed)
 	Scsi_CD *cd = cdi->handle;
 	struct packet_command cgc;
 
-	if (speed == 0)
+	/* avoid exceeding the max speed or overflowing integer bounds */
+	if (speed == 0 || speed > 0xffff / 177)
 		speed = 0xffff;	/* set to max */
 	else
 		speed *= 177;	/* Nx to kbyte/s */