Re: [PATCH v2] hpet: Fix division by zero in hpet_time_div()

From: Arnd Bergmann
Date: Thu Jul 11 2019 - 09:58:34 EST


On Thu, Jul 11, 2019 at 3:22 PM Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> wrote:
>
> The base value in do_div() called by hpet_time_div() is truncated from
> unsigned long to uint32_t, resulting in a divide-by-zero exception.
>
> UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
> division by zero
> CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
> ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
> 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
> Call Trace:
> [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
> [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
> [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
> [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
> [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
> [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
> [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
> [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
> [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
> [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
> [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
> [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
> [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
> [<ffffffff82846003>] tracesys_phase2+0x90/0x95
>
> The main C reproducer autogenerated by syzkaller,
>
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> memcpy((void*)0x20000100, "/dev/hpet\000", 10);
> syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
> syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);
>
> Fix it by using div64_ul().
>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
> Signed-off-by: Zhang HongJun <zhanghongjun2@xxxxxxxxxx>

Reviewed-by: Arnd Bergmann <arnd@xxxxxxxx>