Bug 200211 - UBSAN: Undefined behaviour in sound/core/seq/seq_clientmgr.c:LINE
Summary: UBSAN: Undefined behaviour in sound/core/seq/seq_clientmgr.c:LINE
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Sound(ALSA) (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Jaroslav Kysela
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-22 23:41 UTC by icytxw
Modified: 2018-07-03 09:32 UTC (History)
1 user (show)

See Also:
Kernel Version: v4.18-rc2
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description icytxw 2018-06-22 23:41:12 UTC 
Hi,
This bug was found in Linux Kernel v4.18-rc2

$ cat report10 
================================================================================
UBSAN: Undefined behaviour in sound/core/seq/seq_clientmgr.c:2007:14
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
CPU: 0 PID: 4101 Comm: syz-executor0 Not tainted 4.18.0-rc1 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
 ? 0xffffffffa0000077
 ? 0xffffffffa0000077
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_seq_ioctl_query_next_client+0x1ac/0x1d0 sound/core/seq/seq_clientmgr.c:2007
 snd_seq_ioctl+0x264/0x3d0 sound/core/seq/seq_clientmgr.c:2144
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1e8/0x1340 fs/ioctl.c:686
 ? 0xffffffffa0000077
 ksys_ioctl+0x9c/0xb0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x81/0xd0 fs/ioctl.c:706
 do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f5c3890ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5c3890b6d4 RCX: 0000000000455a09
RDX: 00000000200001c0 RSI: 00000000c0bc5351 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000345 R14: 00000000006f9f18 R15: 0000000000000000
================================================================================
mmap: syz-executor1 (4133) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
SELinux:  policydb magic number 0x464c457f does not match expected magic number 0xf97cff8c
SELinux: failed to load policy
SELinux:  policydb magic number 0x464c457f does not match expected magic number 0xf97cff8c
SELinux: failed to load policy
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=16 sclass=netlink_tcpdiag_socket pig=4266 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=16 sclass=netlink_tcpdiag_socket pig=4275 comm=syz-executor1
SELinux: failed to load policy
SELinux: failed to load policy
capability: warning: `syz-executor0' uses deprecated v2 capabilities in a way that may be insecure
protocol 0000 is buggy, dev sit0

This bug can be repro, if you need it, please tell me.
Thanks,
Icytxw
Comment 1 Takashi Iwai 2018-07-03 09:32:12 UTC 
The fix was landed to 4.18-rc3.
Note You need to log in before you can comment on or make changes to this bug.