iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Justin Stitt 23cc6ef6fd fs: remove accidental overflow during wraparound check 
Running syzkaller with the newly enabled signed integer overflow
sanitizer produces this report:

[  195.401651] ------------[ cut here ]------------
[  195.404808] UBSAN: signed-integer-overflow in ../fs/open.c:321:15
[  195.408739] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long')
[  195.414683] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.420138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.425804] Call Trace:
[  195.427360]  <TASK>
[  195.428791]  dump_stack_lvl+0x93/0xd0
[  195.431150]  handle_overflow+0x171/0x1b0
[  195.433640]  vfs_fallocate+0x459/0x4f0
...
[  195.490053] ------------[ cut here ]------------
[  195.493146] UBSAN: signed-integer-overflow in ../fs/open.c:321:61
[  195.497030] 9223372036854775807 + 562984447377399 cannot be represented in type 'loff_t' (aka 'long long)
[  195.502940] CPU: 1 PID: 703 Comm: syz-executor.0 Not tainted 6.8.0-rc2-00039-g14de58dbe653-dirty #11
[  195.508395] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  195.514075] Call Trace:
[  195.515636]  <TASK>
[  195.517000]  dump_stack_lvl+0x93/0xd0
[  195.519255]  handle_overflow+0x171/0x1b0
[  195.521677]  vfs_fallocate+0x4cb/0x4f0
[  195.524033]  __x64_sys_fallocate+0xb2/0xf0

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's use the check_add_overflow helper to first verify the addition
stays within the bounds of its type (long long); then we can use that
sum for the following check.

Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/356
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240513-b4-sio-vfs_fallocate-v2-1-db415872fb16@google.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-05-27 15:58:46 +02:00
..
9p
netfs: Remove the old writeback code
2024-05-01 18:07:38 +01:00
adfs
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
affs
affs: remove SLAB_MEM_SPREAD flag usage
2024-02-26 11:36:28 +01:00
afs
vfs-6.10.netfs
2024-05-13 12:14:03 -07:00
autofs
dcache stuff for this cycle
2024-01-11 20:11:35 -08:00
bcachefs
bcachefs fixes for 6.10-rc1
2024-05-24 09:07:22 -07:00
befs
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
bfs
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
btrfs
for-6.10-tag
2024-05-24 09:40:31 -07:00
cachefiles
Assorted commits that had missed the last merge window...
2024-05-21 13:11:44 -07:00
ceph
We have a series from Xiubo that adds support for additional access
2024-05-25 14:23:58 -07:00
coda
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
configfs
cramfs
use ->bd_mapping instead of ->bd_inode->i_mapping
2024-05-03 02:36:51 -04:00
crypto
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
debugfs
vfs: Convert debugfs to use the new mount API
2024-03-26 09:04:54 +01:00
devpts
fs: Remove the now superfluous sentinel elements from ctl_table array
2023-12-28 04:57:57 -08:00
dlm
dlm: return -ENOMEM if ls_recover_buf fails
2024-04-23 16:08:55 -05:00
ecryptfs
hardening updates for 6.10-rc1
2024-05-13 14:14:05 -07:00
efivarfs
efi: Clear up misconceptions about a maximum variable name size
2024-04-13 10:33:02 +02:00
efs
efs: remove SLAB_MEM_SPREAD flag usage
2024-02-27 11:21:33 +01:00
erofs
Changes since last update:
2024-05-24 09:31:50 -07:00
exfat
exfat: zero the reserved fields of file and stream extension dentries
2024-04-25 21:59:59 +09:00
exportfs
fs: Create a generic is_dot_dotdot() utility
2024-01-23 10:58:56 -05:00
ext2
ext2: Remove LEGACY_DIRECT_IO dependency
2024-05-03 11:50:28 +02:00
ext4
bd_inode series
2024-05-21 09:51:42 -07:00
f2fs
f2fs update for 6.10-rc1
2024-05-20 13:23:43 -07:00
fat
fs: add kernel-doc comments to fat_parse_long()
2024-04-25 21:07:02 -07:00
freevxfs
freevxfs: Convert freevxfs to the new mount API.
2024-03-26 09:04:53 +01:00
fuse
virtio: features, fixes, cleanups
2024-05-23 12:04:36 -07:00
gfs2
bd_inode series
2024-05-21 09:51:42 -07:00
hfs
hfs: really remove hfs_writepage
2023-12-29 11:58:34 -08:00
hfsplus
hfsplus: refactor copy_name to not use strncpy
2024-04-24 16:55:28 -07:00
hostfs
hostfs: use d_splice_alias() calling conventions to simplify failure exits
2023-12-21 12:51:00 -05:00
hpfs
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
hugetlbfs
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
iomap
Kbuild updates for v6.10
2024-05-18 12:39:20 -07:00
isofs
isofs: Use *-y instead of *-objs in Makefile
2024-05-09 18:09:57 +02:00
jbd2
bd_inode series
2024-05-21 09:51:42 -07:00
jffs2
This pull request contains the following changes for JFFS2:
2024-05-25 13:23:42 -07:00
jfs
fs,block: yield devices early
2024-03-27 13:17:15 +01:00
kernfs
kernfs: mount: Remove unnecessary ‘NULL’ values from knparent
2024-05-04 19:02:39 +02:00
lockd
lockd: host: Remove unnecessary statements'host = NULL;'
2024-05-06 09:07:20 -04:00
minix
minix: convert minix to use the new mount api
2024-03-26 09:04:55 +01:00
netfs
smb3: reenable swapfiles over SMB3 mounts
2024-05-21 11:14:55 -05:00
nfs
NFS client updates for Linux 6.10
2024-05-23 13:51:09 -07:00
nfs_common
nfsd
tracing/treewide: Remove second parameter of __assign_str()
2024-05-22 20:14:47 -04:00
nilfs2
nilfs2: fix potential hang in nilfs_detach_log_writer()
2024-05-24 11:55:07 -07:00
nls
notify
Revert "fanotify: remove unneeded sub-zero check for unsigned value"
2024-05-20 12:43:58 -07:00
ntfs3
driver ntfs3 for linux 6.10
2024-05-25 14:19:01 -07:00
ocfs2
tracing/treewide: Remove second parameter of __assign_str()
2024-05-22 20:14:47 -04:00
omfs
openpromfs
openpromfs: finish conversion to the new mount API
2024-03-26 09:04:54 +01:00
orangefs
orangefs: fix out-of-bounds fsid access
2024-05-14 17:44:14 -07:00
overlayfs
overlayfs update for 6.10
2024-05-22 09:23:18 -07:00
proc
mm: /proc/pid/smaps_rollup: avoid skipping vma after getting mmap_lock again
2024-05-24 11:55:07 -07:00
pstore
pstore/zone: Don't clear memory twice
2024-03-09 12:33:22 -08:00
qnx4
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
qnx6
qnx6: convert qnx6 to use the new mount api
2024-03-26 09:04:53 +01:00
quota
quota: fix to propagate error of mark_dquot_dirty() to caller
2024-04-12 14:52:29 +02:00
ramfs
mm: switch mm->get_unmapped_area() to a flag
2024-04-25 20:56:25 -07:00
reiserfs
getting rid of bogus set_blocksize() uses, switching it
2024-05-21 08:34:51 -07:00
romfs
fs,block: yield devices early
2024-03-27 13:17:15 +01:00
smb
four smb client fixes, including two important netfs integration fixes
2024-05-25 22:33:10 -07:00
squashfs
Mainly singleton patches, documented in their respective changelogs.
2024-05-19 14:02:03 -07:00
sysfs
Merge 6.9-rc5 into driver-core-next
2024-04-23 13:27:43 +02:00
sysv
sysv: remove SLAB_MEM_SPREAD flag usage
2024-02-27 11:21:31 +01:00
tracefs
eventfs: Do not use attributes for events directory
2024-05-23 09:31:50 -04:00
ubifs
This pull request contains updates for UBI and UBIFS:
2024-03-21 15:09:29 -07:00
udf
udf: Use a folio in udf_write_end()
2024-04-23 15:37:02 +02:00
ufs
mm, slab: remove last vestiges of SLAB_MEM_SPREAD
2024-03-12 20:32:19 -07:00
unicode
kbuild: use $(src) instead of $(srctree)/$(src) for source directory
2024-05-10 04:34:52 +09:00
vboxsf
vboxsf: explicitly deny setlease attempts
2024-04-03 16:06:39 +02:00
verity
fsverity: use register_sysctl_init() to avoid kmemleak warning
2024-05-03 08:30:58 -07:00
xfs
tracing/treewide: Remove second parameter of __assign_str()
2024-05-22 20:14:47 -04:00
zonefs
zonefs: Use str_plural() to fix Coccinelle warning
2024-04-10 07:23:47 +09:00
aio.c
Assorted commits that had missed the last merge window...
2024-05-21 13:11:44 -07:00
anon_inodes.c
fs: Create anon_inode_getfile_fmode()
2024-04-26 10:33:05 +02:00
attr.c
lsm/stable-6.9 PR 20240312
2024-03-12 20:03:34 -07:00
backing-file.c
ovl: implement tmpfile
2024-05-02 20:35:57 +02:00
bad_inode.c
binfmt_elf_fdpic.c
binfmt_elf_fdpic: fix /proc/<pid>/auxv
2024-04-24 15:55:28 -07:00
binfmt_elf_test.c
binfmt_elf.c
Mainly singleton patches, documented in their respective changelogs.
2024-05-19 14:02:03 -07:00
binfmt_flat.c
binfmt_misc.c
execve updates for v6.7-rc1
2023-10-30 19:28:19 -10:00
binfmt_script.c
buffer.c
bd_inode series
2024-05-21 09:51:42 -07:00
char_dev.c
As usual, lots of singleton and doubleton patches all over the tree and
2023-11-02 20:53:31 -10:00
compat_binfmt_elf.c
coredump.c
virtio: features, fixes, cleanups
2024-05-23 12:04:36 -07:00
d_path.c
dax.c
dax: use huge_zero_folio
2024-04-25 20:56:20 -07:00
dcache.c
vfs: Delete the associated dentry when deleting a file
2024-05-22 08:49:13 -07:00
direct-io.c
fs/direct-io: remove redundant assignment to variable retval
2024-04-11 10:21:24 +02:00
drop_caches.c
eventfd.c
eventfd: strictly check the count parameter of eventfd_write to avoid inputting illegal strings
2024-02-08 10:12:26 +01:00
eventpoll.c
epoll: be better about file lifetimes
2024-05-05 14:00:48 -07:00
exec.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
fcntl.c
fcntl: add F_DUPFD_QUERY fcntl()
2024-05-10 08:26:31 +02:00
fhandle.c
fs: Annotate struct file_handle with __counted_by() and use struct_size()
2024-04-05 15:53:47 +02:00
file_table.c
lsm/stable-6.9 PR 20240312
2024-03-12 20:03:34 -07:00
file.c
get_file_rcu(): no need to check for NULL separately
2024-04-15 16:03:24 -04:00
filesystems.c
fs_context.c
fs_parser.c
__fs_parse: Correct a documentation comment
2024-02-02 13:11:50 +01:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
fs/writeback: remove unnecessary return in writeback_inodes_sb
2024-04-05 15:53:45 +02:00
fsopen.c
init.c
inode.c
bcachefs updates for 6.9
2024-03-15 09:00:09 -07:00
internal.h
ovl: implement tmpfile
2024-05-02 20:35:57 +02:00
ioctl.c
fs/ioctl: Add a comment to keep the logic in sync with LSM policies
2024-05-13 06:58:35 +02:00
Kconfig
- Sumanth Korikkar has taught s390 to allocate hotplug-time page frames
2024-03-14 17:43:30 -07:00
Kconfig.binfmt
kernel_read_file.c
libfs.c
shmem: Fix shmem_rename2()
2024-04-17 13:49:44 +02:00
locks.c
filelock: fix deadlock detection in POSIX locking
2024-02-20 09:53:33 +01:00
Makefile
vfs-6.9.pidfd
2024-03-11 10:21:06 -07:00
mbcache.c
vfs: remove SLAB_MEM_SPREAD flag usage
2024-02-27 11:21:31 +01:00
mnt_idmapping.c
fs/mnt_idmapping.c: Return -EINVAL when no map is written
2024-02-08 10:12:37 +01:00
mount.h
mounts: keep list of mounts in an rbtree
2023-11-18 14:56:16 +01:00
mpage.c
block, fs: Restore the per-bio/request data lifetime fields
2024-02-06 14:31:05 +01:00
namei.c
overlayfs update for 6.10
2024-05-22 09:23:18 -07:00
namespace.c
fs: relax mount_setattr() permission checks
2024-02-07 21:16:29 +01:00
nsfs.c
pidfs: remove config option
2024-03-13 12:53:53 -07:00
open.c
fs: remove accidental overflow during wraparound check
2024-05-27 15:58:46 +02:00
pidfs.c
fs/pidfs: make 'lsof' happy with our inode changes
2024-05-21 08:08:00 -07:00
pipe.c
fs/pipe: Convert to lockdep_cmp_fn
2024-02-02 13:11:49 +01:00
pnode.c
mounts: keep list of mounts in an rbtree
2023-11-18 14:56:16 +01:00
pnode.h
posix_acl.c
lsm/stable-6.9 PR 20240312
2024-03-12 20:03:34 -07:00
proc_namespace.c
namespace: extract show_path() helper
2023-11-18 14:56:16 +01:00
read_write.c
Assorted commits that had missed the last merge window...
2024-05-21 13:11:44 -07:00
readdir.c
fsnotify: optionally pass access range in file permission hooks
2023-12-12 16:20:02 +01:00
remap_range.c
vfs: export remap and write check helpers
2024-04-15 14:54:13 -07:00
select.c
fs/select: rework stack allocation hack for clang
2024-02-20 09:23:52 +01:00
seq_file.c
seq_file: Simplify __seq_puts()
2024-05-02 16:28:20 +02:00
signalfd.c
signalfd: convert to ->read_iter()
2024-04-10 16:23:04 -06:00
splice.c
remove call_{read,write}_iter() functions
2024-04-15 16:03:25 -04:00
stack.c
stat.c
statx: stx_subvol
2024-03-26 09:01:18 +01:00
statfs.c
super.c
\n
2024-05-20 12:31:43 -07:00
sync.c
sysctls.c
fs: Remove the now superfluous sentinel elements from ctl_table array
2023-12-28 04:57:57 -08:00
timerfd.c
timerfd: convert to ->read_iter()
2024-04-10 16:23:02 -06:00
userfaultfd.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
utimes.c
xattr.c
evm: Move to LSM infrastructure
2024-02-15 23:43:47 -05:00