On Wed, May 08, 2024 at 12:02:27AM +0000, Justin Stitt wrote: > Running syzkaller with the newly reintroduced signed integer overflow > sanitizer produces this report: > > [ 65.194362] ------------[ cut here ]------------ > [ 65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9 > [ 65.203607] -2147483648 * 177 cannot be represented in type 'int' > [ 65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 > [ 65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > [ 65.219923] Call Trace: > [ 65.221556] <TASK> > [ 65.223029] dump_stack_lvl+0x93/0xd0 > [ 65.225573] handle_overflow+0x171/0x1b0 > [ 65.228219] sr_select_speed+0xeb/0xf0 > [ 65.230786] ? __pm_runtime_resume+0xe6/0x130 > [ 65.233606] sr_block_ioctl+0x15d/0x1d0 > ... > > Historically, the signed integer overflow sanitizer did not work in the > kernel due to its interaction with `-fwrapv` but this has since been > changed [1] in the newest version of Clang. It was re-enabled in the > kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow > sanitizer"). > > Let's add an extra check to make sure we don't exceed 0xffff/177 (350) > since 0xffff is the max speed. This has two benefits: 1) we deal with > integer overflow before it happens and 2) we properly respect the max > speed of 0xffff. There are some "magic" numbers here but I did not want > to change more than what was necessary. > > Link: https://github.com/llvm/llvm-project/pull/82432 [1] > Closes: https://github.com/KSPP/linux/issues/357 > Cc: linux-hardening@xxxxxxxxxxxxxxx > Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx> > --- > Here's the syzkaller reproducer: > r0 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000140), 0x800, 0x0) > ioctl$CDROM_SELECT_SPEED(r0, 0x5322, 0x7ee9f7c1) > > ... which was used against Kees' tree here (v6.8rc2): > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=wip/v6.9-rc2/unsigned-overflow-sanitizer > > ... with this config: > https://gist.github.com/JustinStitt/824976568b0f228ccbcbe49f3dee9bf4 > --- > drivers/scsi/sr_ioctl.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c > index 5b0b35e60e61..2d78bcf68eb3 100644 > --- a/drivers/scsi/sr_ioctl.c > +++ b/drivers/scsi/sr_ioctl.c > @@ -430,7 +430,8 @@ int sr_select_speed(struct cdrom_device_info *cdi, int speed) > Scsi_CD *cd = cdi->handle; > struct packet_command cgc; > > - if (speed == 0) > + /* avoid exceeding the max speed or overflowing integer bounds */ > + if (speed == 0 || speed > 0xffff / 177) > speed = 0xffff; /* set to max */ > else > speed *= 177; /* Nx to kbyte/s */ I didn't see a "speed < 0" check, so I went to check the type on "speed" and found it to be "int". So I'd expect such a check, but then I looked at the interface: I think it's wrong that "speed" is an int at all. There's only 1 caller, and 1 implementation of "select_speed": $ git grep '\.select_speed' drivers/scsi/sr.c: .select_speed = sr_select_speed, static int cdrom_ioctl_select_speed(struct cdrom_device_info *cdi, unsigned long arg) { ... return cdi->ops->select_speed(cdi, arg); } And the arg there is unsigned long (?!). So I think probably the prototype should be changed to unsigned long, and then it can clamp the "speed" argument: + /* avoid exceeding the max speed or overflowing integer bounds */ + speed = clamp(0, speed, 0xffff / 177); if (speed == 0) speed = 0xffff; /* set to max */ else speed *= 177; /* Nx to kbyte/s */ Then the "negative" values go away are then correctly treated as "too big" in the clamping. -Kees -- Kees Cook