On 06/28/2018 06:48 AM, Andrew Morton wrote: >> Hi, >> This bug was found in Linux Kernel v4.18-rc2 >> >> $ cat report0 >> ================================================================================ >> UBSAN: Undefined behaviour in mm/fadvise.c:76:10 >> signed integer overflow: >> 4 + 9223372036854775805 cannot be represented in type 'long long int' >> CPU: 0 PID: 13477 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 >> Call Trace: >> __dump_stack lib/dump_stack.c:77 [inline] >> dump_stack+0x122/0x1c8 lib/dump_stack.c:113 >> ubsan_epilogue+0x12/0x86 lib/ubsan.c:159 >> handle_overflow+0x1c2/0x21f lib/ubsan.c:190 >> __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 >> ksys_fadvise64_64+0xbf0/0xd10 mm/fadvise.c:76 >> __do_sys_fadvise64 mm/fadvise.c:198 [inline] >> __se_sys_fadvise64 mm/fadvise.c:196 [inline] >> __x64_sys_fadvise64+0xa9/0x120 mm/fadvise.c:196 >> do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 > > That overflow is deliberate: > > endbyte = offset + len; > if (!len || endbyte < len) > endbyte = -1; > else > endbyte--; /* inclusive */ > > Or is there a hole in this logic? > > If not, I guess ee can do this another way to keep the checker happy. It should be enough to make overflow unsigned. Unsigned overflow is defined by the C standard.
