[PATCH] scsi: sr: fix unintentional arithmetic wraparound

From: Justin Stitt
Date: Tue May 07 2024 - 20:10:27 EST

Next message: Google: "Re: [PATCH] perf dwarf-aux: Print array type name with "[]""
Previous message: Jason Gunthorpe: "Re: [PATCH v5 2/9] iommu: Replace sva_iommu with iommu_attach_handle"
Next in thread: Kees Cook: "Re: [PATCH] scsi: sr: fix unintentional arithmetic wraparound"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Running syzkaller with the newly reintroduced signed integer overflow
sanitizer produces this report:

[ 65.194362] ------------[ cut here ]------------
[ 65.197752] UBSAN: signed-integer-overflow in ../drivers/scsi/sr_ioctl.c:436:9
[ 65.203607] -2147483648 * 177 cannot be represented in type 'int'
[ 65.207911] CPU: 2 PID: 10416 Comm: syz-executor.1 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 65.213585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 65.219923] Call Trace:
[ 65.221556] <TASK>
[ 65.223029] dump_stack_lvl+0x93/0xd0
[ 65.225573] handle_overflow+0x171/0x1b0
[ 65.228219] sr_select_speed+0xeb/0xf0
[ 65.230786] ? __pm_runtime_resume+0xe6/0x130
[ 65.233606] sr_block_ioctl+0x15d/0x1d0
..

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's add an extra check to make sure we don't exceed 0xffff/177 (350)
since 0xffff is the max speed. This has two benefits: 1) we deal with
integer overflow before it happens and 2) we properly respect the max
speed of 0xffff. There are some "magic" numbers here but I did not want
to change more than what was necessary.

Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/357
Cc: linux-hardening@xxxxxxxxxxxxxxx
Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
---
Here's the syzkaller reproducer:
r0 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000140), 0x800, 0x0)
ioctl$CDROM_SELECT_SPEED(r0, 0x5322, 0x7ee9f7c1)

.. which was used against Kees' tree here (v6.8rc2):
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=wip/v6.9-rc2/unsigned-overflow-sanitizer

.. with this config:
https://gist.github.com/JustinStitt/824976568b0f228ccbcbe49f3dee9bf4
---
drivers/scsi/sr_ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 5b0b35e60e61..2d78bcf68eb3 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -430,7 +430,8 @@ int sr_select_speed(struct cdrom_device_info *cdi, int speed)
Scsi_CD *cd = cdi->handle;
struct packet_command cgc;

- if (speed == 0)
+ /* avoid exceeding the max speed or overflowing integer bounds */
+ if (speed == 0 || speed > 0xffff / 177)
speed = 0xffff; /* set to max */
else
speed *= 177; /* Nx to kbyte/s */

---
base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc
change-id: 20240507-b4-b4-sio-sr_select_speed-e68c0d426891

Best regards,
--
Justin Stitt <justinstitt@xxxxxxxxxx>

Next message: Google: "Re: [PATCH] perf dwarf-aux: Print array type name with "[]""
Previous message: Jason Gunthorpe: "Re: [PATCH v5 2/9] iommu: Replace sva_iommu with iommu_attach_handle"
Next in thread: Kees Cook: "Re: [PATCH] scsi: sr: fix unintentional arithmetic wraparound"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]