diff mbox series

[-next,v2] nbd: add the check to prevent overflow in __nbd_ioctl()

Message ID 20210802075615.4037698-1-libaokun1@huawei.com (mailing list archive)
State New, archived
Headers show
Series [-next,v2] nbd: add the check to prevent overflow in __nbd_ioctl() | expand

Commit Message

Baokun Li Aug. 2, 2021, 7:56 a.m. UTC
If user specify a large enough value of NBD blocks option, it may trigger
signed integer overflow which may lead to nbd->config->bytesize becomes a
large or small value, zero in particular.

UBSAN: Undefined behaviour in drivers/block/nbd.c:325:31
signed integer overflow:
1024 * 4611686155866341414 cannot be represented in type 'long long int'
[...]
Call trace:
[...]
 handle_overflow+0x188/0x1dc lib/ubsan.c:192
 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213
 nbd_size_set drivers/block/nbd.c:325 [inline]
 __nbd_ioctl drivers/block/nbd.c:1342 [inline]
 nbd_ioctl+0x998/0xa10 drivers/block/nbd.c:1395
 __blkdev_driver_ioctl block/ioctl.c:311 [inline]
[...]

Although it is not a big deal, still silence the UBSAN by limit
the input value.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
---
V1->V2:
	Use check_mul_overflow().

 drivers/block/nbd.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

kernel test robot Aug. 2, 2021, 10:34 a.m. UTC | #1
Hi Baokun,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on next-20210730]

url:    https://github.com/0day-ci/linux/commits/Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
base:    8d4b477da1a807199ca60e0829357ce7aa6758d5
config: s390-randconfig-r004-20210802 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 4f71f59bf3d9914188a11d0c41bedbb339d36ff5)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install s390 cross compiling tool for clang build
        # apt-get install binutils-s390x-linux-gnu
        # https://github.com/0day-ci/linux/commit/db848e3e79fb93dcba9390dda472184ab2d31f40
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
        git checkout db848e3e79fb93dcba9390dda472184ab2d31f40
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=s390 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> drivers/block/nbd.c:1402:16: warning: comparison of distinct pointer types ('typeof (arg) *' (aka 'unsigned long *') and 'typeof (config->blksize) *' (aka 'long long *')) [-Wcompare-distinct-pointer-types]
                   if (unlikely(check_mul_overflow(arg, config->blksize,
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/overflow.h:88:15: note: expanded from macro 'check_mul_overflow'
           (void) (&__a == &__b);                  \
                   ~~~~ ^  ~~~~
   include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
   # define unlikely(x)    __builtin_expect(!!(x), 0)
                                               ^
>> drivers/block/nbd.c:1402:16: warning: comparison of distinct pointer types ('typeof (arg) *' (aka 'unsigned long *') and 'typeof (&bytesize)' (aka 'long long *')) [-Wcompare-distinct-pointer-types]
                   if (unlikely(check_mul_overflow(arg, config->blksize,
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/overflow.h:89:15: note: expanded from macro 'check_mul_overflow'
           (void) (&__a == __d);                   \
                   ~~~~ ^  ~~~
   include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
   # define unlikely(x)    __builtin_expect(!!(x), 0)
                                               ^
   2 warnings generated.


vim +1402 drivers/block/nbd.c

  1381	
  1382	/* Must be called with config_lock held */
  1383	static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
  1384			       unsigned int cmd, unsigned long arg)
  1385	{
  1386		struct nbd_config *config = nbd->config;
  1387		loff_t bytesize;
  1388	
  1389		switch (cmd) {
  1390		case NBD_DISCONNECT:
  1391			return nbd_disconnect(nbd);
  1392		case NBD_CLEAR_SOCK:
  1393			nbd_clear_sock_ioctl(nbd, bdev);
  1394			return 0;
  1395		case NBD_SET_SOCK:
  1396			return nbd_add_socket(nbd, arg, false);
  1397		case NBD_SET_BLKSIZE:
  1398			return nbd_set_size(nbd, config->bytesize, arg);
  1399		case NBD_SET_SIZE:
  1400			return nbd_set_size(nbd, arg, config->blksize);
  1401		case NBD_SET_SIZE_BLOCKS:
> 1402			if (unlikely(check_mul_overflow(arg, config->blksize,
  1403							&bytesize)))
  1404				return -EINVAL;
  1405			return nbd_set_size(nbd, bytesize, config->blksize);
  1406		case NBD_SET_TIMEOUT:
  1407			nbd_set_cmd_timeout(nbd, arg);
  1408			return 0;
  1409	
  1410		case NBD_SET_FLAGS:
  1411			config->flags = arg;
  1412			return 0;
  1413		case NBD_DO_IT:
  1414			return nbd_start_device_ioctl(nbd, bdev);
  1415		case NBD_CLEAR_QUE:
  1416			/*
  1417			 * This is for compatibility only.  The queue is always cleared
  1418			 * by NBD_DO_IT or NBD_CLEAR_SOCK.
  1419			 */
  1420			return 0;
  1421		case NBD_PRINT_DEBUG:
  1422			/*
  1423			 * For compatibility only, we no longer keep a list of
  1424			 * outstanding requests.
  1425			 */
  1426			return 0;
  1427		}
  1428		return -ENOTTY;
  1429	}
  1430	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
kernel test robot Aug. 2, 2021, 11:38 a.m. UTC | #2
Hi Baokun,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on next-20210730]

url:    https://github.com/0day-ci/linux/commits/Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
base:    8d4b477da1a807199ca60e0829357ce7aa6758d5
config: sh-randconfig-r005-20210802 (attached as .config)
compiler: sh4-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/db848e3e79fb93dcba9390dda472184ab2d31f40
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Baokun-Li/nbd-add-the-check-to-prevent-overflow-in-__nbd_ioctl/20210802-154727
        git checkout db848e3e79fb93dcba9390dda472184ab2d31f40
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash drivers/block/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   In file included from include/asm-generic/bug.h:5,
                    from arch/sh/include/asm/bug.h:112,
                    from include/linux/bug.h:5,
                    from include/linux/thread_info.h:13,
                    from include/asm-generic/current.h:5,
                    from ./arch/sh/include/generated/asm/current.h:1,
                    from include/linux/sched.h:12,
                    from include/linux/blkdev.h:5,
                    from drivers/block/nbd.c:16:
   drivers/block/nbd.c: In function '__nbd_ioctl':
>> include/linux/overflow.h:88:15: warning: comparison of distinct pointer types lacks a cast
      88 |  (void) (&__a == &__b);   \
         |               ^~
   include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
      78 | # define unlikely(x) __builtin_expect(!!(x), 0)
         |                                          ^
   drivers/block/nbd.c:1402:16: note: in expansion of macro 'check_mul_overflow'
    1402 |   if (unlikely(check_mul_overflow(arg, config->blksize,
         |                ^~~~~~~~~~~~~~~~~~
   include/linux/overflow.h:89:15: warning: comparison of distinct pointer types lacks a cast
      89 |  (void) (&__a == __d);   \
         |               ^~
   include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
      78 | # define unlikely(x) __builtin_expect(!!(x), 0)
         |                                          ^
   drivers/block/nbd.c:1402:16: note: in expansion of macro 'check_mul_overflow'
    1402 |   if (unlikely(check_mul_overflow(arg, config->blksize,
         |                ^~~~~~~~~~~~~~~~~~


vim +88 include/linux/overflow.h

f0907827a8a915 Rasmus Villemoes 2018-05-08  83  
9b80e4c4ddaca3 Kees Cook        2020-08-12  84  #define check_mul_overflow(a, b, d) __must_check_overflow(({	\
f0907827a8a915 Rasmus Villemoes 2018-05-08  85  	typeof(a) __a = (a);			\
f0907827a8a915 Rasmus Villemoes 2018-05-08  86  	typeof(b) __b = (b);			\
f0907827a8a915 Rasmus Villemoes 2018-05-08  87  	typeof(d) __d = (d);			\
f0907827a8a915 Rasmus Villemoes 2018-05-08 @88  	(void) (&__a == &__b);			\
f0907827a8a915 Rasmus Villemoes 2018-05-08  89  	(void) (&__a == __d);			\
f0907827a8a915 Rasmus Villemoes 2018-05-08  90  	__builtin_mul_overflow(__a, __b, __d);	\
9b80e4c4ddaca3 Kees Cook        2020-08-12  91  }))
f0907827a8a915 Rasmus Villemoes 2018-05-08  92  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index c38317979f74..9f3e25f74e9b 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1384,6 +1384,7 @@  static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
 		       unsigned int cmd, unsigned long arg)
 {
 	struct nbd_config *config = nbd->config;
+	loff_t bytesize;
 
 	switch (cmd) {
 	case NBD_DISCONNECT:
@@ -1398,8 +1399,10 @@  static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
 	case NBD_SET_SIZE:
 		return nbd_set_size(nbd, arg, config->blksize);
 	case NBD_SET_SIZE_BLOCKS:
-		return nbd_set_size(nbd, arg * config->blksize,
-				    config->blksize);
+		if (unlikely(check_mul_overflow(arg, config->blksize,
+						&bytesize)))
+			return -EINVAL;
+		return nbd_set_size(nbd, bytesize, config->blksize);
 	case NBD_SET_TIMEOUT:
 		nbd_set_cmd_timeout(nbd, arg);
 		return 0;