Re: [kees:devel/overflow/sanitizers] [overflow] 660787b56e: UBSAN:signed-integer-overflow_in_lib/test_memcat_p.c

Oliver Sang <oliver.sang@xxxxxxxxx> · Wed, 31 Jan 2024 09:34:19 +0800

hi, Kees,

On Tue, Jan 30, 2024 at 04:23:06PM -0800, Kees Cook wrote:
> On Tue, Jan 30, 2024 at 10:52:56PM +0800, kernel test robot wrote:
> > 

...

> > while testing, we observed below different (and same part) between parent and
> > this commit:
> > 
> > ea804316c9db5148 660787b56e6e97ddc34c7882cbe
> > ---------------- ---------------------------
> >        fail:runs  %reproduction    fail:runs
> >            |             |             |
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_arch/x86/kernel/cpu/intel.c
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_arch/x86/kernel/cpu/topology.c
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_fs/namespace.c
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_fs/read_write.c
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_include/linux/rhashtable.h
> >           6:6            0%           6:6     dmesg.UBSAN:shift-out-of-bounds_in_include/net/tcp.h
> 
> Are these shift-out-of-bounds warnings new?

no, they also happen on parent commit.

thanks a lot for all guildance!

> 
> >            :6          100%           6:6     dmesg.UBSAN:signed-integer-overflow_in_lib/test_memcat_p.c
> 
> This is new for sure, catching an issue you show below...
> 
> > this looks like the commit uncovered issue. but since it's hard for us to back
> > port this commit to each commit while bisecting, we cannot capture the real
> > first bad commit. not sure if this report could help somebody to investigate
> > the real issue?
> 
> Yeah, I think there is an unexpected wrap-around in test_memcat_p.c:
> 
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> > | Closes: https://lore.kernel.org/oe-lkp/202401302219.db90a6d5-oliver.sang@xxxxxxxxx
> > 
> > 
> > [   42.894536][    T1] ------------[ cut here ]------------
> > [   42.895474][    T1] UBSAN: signed-integer-overflow in lib/test_memcat_p.c:47:10
> > [   42.897128][    T1] 6570 * 725861 cannot be represented in type 'int'
> 
> I'm surprised to see the sanitizer catching anything here since the
> kernel is built with -fno-strict-overflow, but regardless, I'll send a
> patch...
> 
> -Kees
> 
> -- 
> Kees Cook