oss-sec mailing list archives
signed integer overflow in common_timer_get on linux 4.15.0-rc1
From: at zhou <zhouat2017 () gmail com>
Date: Thu, 7 Dec 2017 17:57:32 +0800
Hi all, credit to L5@360vulcan team I fuzzed the linux kernel and find signed integer overflow on linux 4.15.0-rc1+. the crash log can see below, the .config and the poc file ,please see the attachments. (1) test environment branch 4.15.0-rc1 git log --oneline 43570f0 Merge branch 'linus' of git:// git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 (2)steps to reproduce 0. use the config file to compile linux kernel 4.15.0-rc1+ 1. gcc poc_timer_gettime.c -o poc_timer_gettime 2. ./poc_timer_gettime 3. crash can reproduce then. [ 2647.574621] UBSAN: Undefined behaviour in /home/l5/KERNEL/kernel/time/posix-timers.c:699:20 [ 2647.578402] signed integer overflow: [ 2647.580095] 2041919421 + 2044944045 cannot be represented in type 'int' [ 2647.583508] CPU: 0 PID: 2763 Comm: OF_timer_gettim Not tainted 4.15.0-rc1+ #1 [ 2647.587105] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 2647.591523] Call Trace: [ 2647.592627] dump_stack+0x104/0x1c0 [ 2647.594427] ? _atomic_dec_and_lock+0x2c0/0x2c0 [ 2647.596747] ubsan_epilogue+0xe/0x81 [ 2647.598226] handle_overflow+0x1f1/0x25f [ 2647.600570] ? __ubsan_handle_negate_overflow+0x198/0x198 [ 2647.603496] ? ktime_get+0x2c0/0x2c0 [ 2647.605333] ? lock_release+0xca0/0xca0 [ 2647.607408] ? lock_release+0xca0/0xca0 [ 2647.609217] ? calibrate_delay+0x16e4/0x1cda [ 2647.611266] common_timer_get+0x633/0x7d0 [ 2647.613150] ? posix_get_coarse_res+0x60/0x60 [ 2647.615184] ? do_timer_gettime+0x180/0x180 [ 2647.617399] ? posix_get_coarse_res+0x60/0x60 [ 2647.619631] do_timer_gettime+0xe4/0x180 [ 2647.621438] ? __lock_timer+0x6d0/0x6d0 [ 2647.623134] ? SyS_timer_getoverrun+0x100/0x100 [ 2647.624774] SyS_timer_gettime+0x6c/0xd0 [ 2647.626665] ? compat_SyS_timer_create+0x100/0x100 [ 2647.628828] ? trace_hardirqs_on_caller+0x3d0/0x690 [ 2647.631318] ? entry_SYSCALL_64_fastpath+0x1f/0x96 [ 2647.633534] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 2647.635766] RIP: 0033:0x7f0624690b79 [ 2647.637456] RSP: 002b:00007ffd25121f58 EFLAGS: 00000217 ORIG_RAX: 00000000000000e0 [ 2647.641579] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0624690b79 [ 2647.645100] RDX: 00007f0624690b79 RSI: 0000000020000fe0 RDI: 0000000000000000 [ 2647.648448] RBP: 00007ffd25121f70 R08: 0000000000000000 R09: 0000000000000000 [ 2647.651741] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400450 [ 2647.655101] R13: 00007ffd25122070 R14: 0000000000000000 R15: 0000000000000000 [ 2647.658058] ================================================================================
Attachment:
config
Description:
Attachment:
poc_timer_gettime.c
Description:
Current thread:
- signed integer overflow in common_timer_get on linux 4.15.0-rc1 at zhou (Dec 07)
- <Possible follow-ups>
- Re: signed integer overflow in common_timer_get on linux 4.15.0-rc1 Greg KH (Dec 07)
- Re: signed integer overflow in common_timer_get on linux 4.15.0-rc1 Dan Carpenter (Dec 08)
- Re: signed integer overflow in common_timer_get on linux 4.15.0-rc1 Greg KH (Dec 08)
- Re: Re: signed integer overflow in common_timer_get on linux 4.15.0-rc1 Daniel Micay (Dec 08)
- Re: signed integer overflow in common_timer_get on linux 4.15.0-rc1 Dan Carpenter (Dec 08)