From patchwork Tue Oct 24 07:44:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Feng X-Patchwork-Id: 116912 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp5513526qgn; Tue, 24 Oct 2017 00:47:54 -0700 (PDT) X-Google-Smtp-Source: ABhQp+RoZLUw0kle0XNAZXzh+fDEgwVU839QrnI7qYk4EFSzC7JqKL8L77fs1KcdDlxcouMCiCK3 X-Received: by 10.98.238.12 with SMTP id e12mr15130776pfi.223.1508831274694; Tue, 24 Oct 2017 00:47:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508831274; cv=none; d=google.com; s=arc-20160816; b=PcXly0rNg4uDtb+b5KyOmShm7+ve/F9ipVWOn8j3BORRxvKtOTAf0RiMPwB1+WLucM Pg4nNPLMsZ4880jlZpmDbMLFeuprhAhqx2LnQsWCAxRiOUXd1tIxDndW/6GiRdGZOeJz sBWY4I9a5FAoC+PBK6W/RkomvgYz+JhONGs37Wbvmd3cOQvVZZfVA7D1JJHpjcsHadbh fdJoERMyfdExZ1tjxIfgDqLsjTmDupngJWLu2MHP/mqU51RQE0QkzUaknHJ4RTL0911F SjrzYjd/RUSIiGWt3A2dVXzp3V488gKYjAV0081lRSGUx8juoVMNFWpQx8HBtOWPBrEp qY4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=UTRGhMX9ox1Lwkb7DfX8Zwyq81oJyoKtY9F00iTn2dI=; b=wgcqrht02WKh0Q/vv7BVYQDR6F6oBz0G1N3/VD1uJdcB9lJVmljc/UsdPhDxDQTS0Q 2GPzttyzejTQy6ICg/RgUiXB8wd525xcBwF/0ZTqK6IAEV4dXGuxjoPW8+Cc/edweBr7 w+4X4dg8KZ38/mGt83vGWIA0RA2y12ps1VKTS0DvQjson9BucUMUHLWpmSd8hI4B2IBg 2QXppS/fsLVwKoUueTd90MRp+/Z7UI6YHTk/UZNSCdHI6eef4Hdi5IAwuG4x/KL5mZcd 9OaULh6V/ELfz4goRha2j56VogEGuhyiLobRu56jVWuDDfu1MDl1I92arGBntY8hD9h2 CHXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m6si6625740pff.584.2017.10.24.00.47.53; Tue, 24 Oct 2017 00:47:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751770AbdJXHrw (ORCPT + 27 others); Tue, 24 Oct 2017 03:47:52 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:8978 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751732AbdJXHrt (ORCPT ); Tue, 24 Oct 2017 03:47:49 -0400 Received: from 172.30.72.58 (EHLO DGGEMS405-HUB.china.huawei.com) ([172.30.72.58]) by dggrg04-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id DJS02690; Tue, 24 Oct 2017 15:44:27 +0800 (CST) Received: from vm163-62.huawei.com (10.184.163.62) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.361.1; Tue, 24 Oct 2017 15:44:17 +0800 From: Chen Feng To: , , , , CC: , , Subject: [PATCH RFC] random: fix syzkaller fuzzer test int overflow Date: Tue, 24 Oct 2017 15:44:17 +0800 Message-ID: <1508831057-64195-1-git-send-email-puck.chen@hisilicon.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.184.163.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090206.59EEEF5C.0026, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 15e174f6958fe372e48b653b724105df Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [pid:11940,cpu6,syz-executor][flp_ioctl]cmd[0x1] Restart is not permit -- 1.9.1 ================================================================= UBSAN: Undefined behaviour in kernel/linux-4.4/drivers/char/random.c:676:19 signed integer overflow: 2147483645 + 268435455 cannot be represented in type 'int' CPU: 4 PID: 11941 Comm: syz-executor Not tainted 4.4.76+ #2 TGID: 11928 Comm: syz-executor Hardware name: hi3660 (DT) Call trace: [] dump_backtrace+0x0/0x314 [] show_stack+0x1c/0x24 [] dump_stack+0xdc/0x130 [] ubsan_epilogue+0x18/0x6c [] handle_overflow+0x180/0x1d4 [] __ubsan_handle_add_overflow+0x2c/0x34 [] credit_entropy_bits+0x358/0x9a8 [] random_ioctl+0x338/0x384 [] do_vfs_ioctl+0x60c/0xa4c [] SyS_ioctl+0x9c/0xc0 [] el0_svc_naked+0x24/0x28 ================================================================= Signed-off-by: Chen Feng Signed-off-by: Yukun Zhao --- drivers/char/random.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 1ef2640..6f2bd6a 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -699,6 +699,11 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits) if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) goto retry; + if (INT_MAX - nbits < r->entropy_total) { + WARN_ON(1); + return; + } + r->entropy_total += nbits; if (!r->initialized && r->entropy_total > 128) { r->initialized = 1;