Re: [PATCH] vt: keyboard: avoid integer overflow in k_ascii
From: Dmitry Torokhov
Date: Thu May 21 2020 - 02:36:09 EST
Hi,
On Thu, May 21, 2020 at 01:34:08AM +0000, Kyungtae Kim wrote:
> FuzzUSB (a variant of syzkaller) found an integer overflow
> while processing keycode value.
>
> Reference: https://lkml.org/lkml/2020/3/22/482
>
> This bug occurs because of no validity check when operating keycode values.
> By executing k_ascii() multiple times, npadch can have a large value
> close to the max of int type e.g., 1111111111.
> In the following, its muliplication causes an integer overflow.
>
> This fix prevents the overflow by checking npadch using check_mul_overflow()
> ahead of its operation.
>
>
> UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19
> signed integer overflow:
> 10 * 1111111111 cannot be represented in type 'int'
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xce/0x128 lib/dump_stack.c:118
> ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
> handle_overflow+0xdc/0xf0 lib/ubsan.c:184
> __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
> k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
> kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
> kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
> input_to_handler+0x3a9/0x4b0 drivers/input/input.c:118
> input_pass_values.part.8+0x25e/0x690 drivers/input/input.c:145
> input_pass_values drivers/input/input.c:193 [inline]
> input_repeat_key+0x1f8/0x2c0 drivers/input/input.c:194
> call_timer_fn+0x20e/0x770 kernel/time/timer.c:1404
> expire_timers kernel/time/timer.c:1449 [inline]
> __run_timers kernel/time/timer.c:1773 [inline]
> run_timer_softirq+0x63f/0x13c0 kernel/time/timer.c:1786
> __do_softirq+0x262/0xb46 kernel/softirq.c:292
> invoke_softirq kernel/softirq.c:373 [inline]
> irq_exit+0x161/0x1b0 kernel/softirq.c:413
> exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> smp_apic_timer_interrupt+0x137/0x500 arch/x86/kernel/apic/apic.c:1146
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> </IRQ>
> RIP: 0010:default_idle+0x2d/0x2e0 arch/x86/kernel/process.c:696
> Code: e5 41 57 41 56 65 44 8b 35 30 9d 5d 7a 41 55 41 54 53 0f 1f 44 00 00 e8 11 42 a4 fb e9 07 00 00 00 0f 00 2d d5 29 5e 00 fb f4 <65> 44 8b 35 0b 9d 5d 7a 0f 1f 44 00 00 5b 41 5c 41 5d 41 5e 41 5f
> RSP: 0018:ffffffff87007ce8 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
> RAX: 0000000000000007 RBX: ffffffff87032900 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff87033154
> RBP: ffffffff87007d10 R08: fffffbfff0e06521 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffffff88c99c00 R14: 0000000000000000 R15: 0000000000000000
> arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:686
> default_idle_call+0x50/0x70 kernel/sched/idle.c:94
> cpuidle_idle_call kernel/sched/idle.c:154 [inline]
> do_idle+0x332/0x530 kernel/sched/idle.c:269
> cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:361
> rest_init+0x240/0x3d0 init/main.c:660
> arch_call_rest_init+0xe/0x1b
> start_kernel+0x7f6/0x81e init/main.c:997
> x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:490
> x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:471
> secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
>
>
> Signed-off-by: Kyungtae Kim <kt0755@xxxxxxxxx>
> Reported-and-tested-by: Kyungtae Kim <kt0755@xxxxxxxxx>
>
> ---
> drivers/tty/vt/keyboard.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index 15d33fa0c925..f7e1bb21bd9c 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -869,6 +869,7 @@ static void k_meta(struct vc_data *vc, unsigned char value, char up_flag)
> static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
> {
> int base;
> + int bytes;
>
> if (up_flag)
> return;
> @@ -884,6 +885,8 @@ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
>
> if (npadch == -1)
> npadch = value;
> + else if (check_mul_overflow(npadch, base, &bytes) || check_add_overflow(bytes, value, &bytes))
> + return;
Why do we discard the result of calculation and repeat it again below?
Can we say
else if (check_mul_overflow(npadch, base, &new_npadch) ||
check_add_overflow(new_npadch, value, &new_npadch))
npadch = new_npadch;
Thanks.
--
Dmitry