Re: [kees:devel/overflow/sanitizers] [overflow] 660787b56e: UBSAN:signed-integer-overflow_in_lib/test_memcat_p.c

From: Oliver Sang
Date: Tue Jan 30 2024 - 20:34:44 EST


hi, Kees,

On Tue, Jan 30, 2024 at 04:23:06PM -0800, Kees Cook wrote:
> On Tue, Jan 30, 2024 at 10:52:56PM +0800, kernel test robot wrote:
> >

..

> > while testing, we observed below different (and same part) between parent and
> > this commit:
> >
> > ea804316c9db5148 660787b56e6e97ddc34c7882cbe
> > ---------------- ---------------------------
> > fail:runs %reproduction fail:runs
> > | | |
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_arch/x86/kernel/cpu/intel.c
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_arch/x86/kernel/cpu/topology.c
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_fs/namespace.c
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_fs/read_write.c
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_include/linux/rhashtable.h
> > 6:6 0% 6:6 dmesg.UBSAN:shift-out-of-bounds_in_include/net/tcp.h
>
> Are these shift-out-of-bounds warnings new?

no, they also happen on parent commit.

thanks a lot for all guildance!

>
> > :6 100% 6:6 dmesg.UBSAN:signed-integer-overflow_in_lib/test_memcat_p.c
>
> This is new for sure, catching an issue you show below...
>
> > this looks like the commit uncovered issue. but since it's hard for us to back
> > port this commit to each commit while bisecting, we cannot capture the real
> > first bad commit. not sure if this report could help somebody to investigate
> > the real issue?
>
> Yeah, I think there is an unexpected wrap-around in test_memcat_p.c:
>
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> > | Closes: https://lore.kernel.org/oe-lkp/202401302219.db90a6d5-oliver.sang@xxxxxxxxx
> >
> >
> > [ 42.894536][ T1] ------------[ cut here ]------------
> > [ 42.895474][ T1] UBSAN: signed-integer-overflow in lib/test_memcat_p.c:47:10
> > [ 42.897128][ T1] 6570 * 725861 cannot be represented in type 'int'
>
> I'm surprised to see the sanitizer catching anything here since the
> kernel is built with -fno-strict-overflow, but regardless, I'll send a
> patch...
>
> -Kees
>
> --
> Kees Cook