219988 – UBSAN: shift-out-of-bounds in xprt_calc_majortimeo

Bug 219988 - UBSAN: shift-out-of-bounds in xprt_calc_majortimeo

Summary: UBSAN: shift-out-of-bounds in xprt_calc_majortimeo

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	NFS (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	Trond Myklebust

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-07 10:10 UTC by wangzhaolong1
Modified:	2025-04-07 10:10 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description wangzhaolong1 2025-04-07 10:10:45 UTC

UBSAN and The UDP support of NFS must be enabled to reproduce the problem.

```
CONFIG_NFS_DISABLE_UDP_SUPPORT=n

CONFIG_ARCH_HAS_UBSAN=y
CONFIG_UBSAN=y
CONFIG_CC_HAS_UBSAN_BOUNDS_STRICT=y
CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_BOUNDS_STRICT=y
CONFIG_UBSAN_SHIFT=y
CONFIG_UBSAN_BOOL=y
CONFIG_UBSAN_ENUM=y
```

# Reproduction

```c
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_mkdirat
#define __NR_mkdirat 34
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_mount
#define __NR_mount 40
#endif

int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);

  memcpy((void*)0x200000c0, "./file0\000", 8);
  syscall(__NR_mkdirat, 0xffffff9c, 0x200000c0ul, 0ul);
  memcpy(
      (void*)0x20000300,
      "[\312\214M\276\341w5\016\177\002F9\327]:\024J\020\341m\3053\232S\""
      "\270+\037\255\363\035G\342\230\371~\257\375\273\231\252@A\017. "
      "|s\304Q^\324\324me\215O\026\307\276\336\262\234`\234\220g#\205q\rK.\203|"
      "R|9\352\025A`F\217\031\234Y\220\364V\267\2013\006 "
      "\246\201\363@wh/"
      "H\325\026W\023]M\263\3558\223\242^\302\356\035\010\224\0040\027^"
      "\363\226\342\334n\362\2006\033\030\341\226\345\346\356\374\355\247d3\203"
      "S",
      147);
  memcpy((void*)0x20000180, "./file0\000", 8);
  memcpy((void*)0x20000140, "nfs\000", 4);
  memcpy((void*)0x200003c0,
         "\001\000\000\000\016\364\253.\3540 "
         "\210\320\030*\245zN1\252\035\324hl\343\014\345\355\206\375\345\333\005`"
         "\372\367m\006\030\2068\332J\244\246\013\251\273Z\002r\034\230\202\253"
         "\231\307\201j\227\341\'aiE\\\346\003xi\2039Z\177\2408\002\000W\204$"
         "\t\366%\265\026\265|\3526\250U#\350N\213*\254\376\347\267\002]%"
         "\265\277\207\024\236AR\251\224_\026K\226\372gP5\226\007t\350h4}"
         "9\004\347\037\0262\307::\000\'\235\202\023`|"
         "NQtf\374J\036\237\212\013EQ=T\344\305\226\026I",
         163);
  *(uint8_t*)0x20000463 = 0x2c;
  *(uint8_t*)0x20000464 = 0;

   do {
     printf("Press the Enter key to continue.\n");
   } while (getchar() != '\n');

  syscall(__NR_mount, 0x20000300ul, 0x20000180ul, 0x20000140ul, 0x8000ul,
          0x200003c0ul);
  return 0;
}
```

# Reproduction Result

```
[   17.604361][  T291] UBSAN: shift-out-of-bounds in net/sunrpc/xprt.c:660:14
[   17.604375][  T291] shift exponent 2540339655 is too large for 64-bit type 'long unsigned int'
[   17.604388][  T291] CPU: 3 UID: 0 PID: 291 Comm: a.out Not tainted 6.15.0-rc1 #11 NONE 
[   17.604398][  T291] Hardware name: linux,dummy-virt (DT)
[   17.604402][  T291] Call trace:
[   17.604406][  T291]  show_stack+0x1c/0x30 (C)
[   17.604418][  T291]  dump_stack_lvl+0x80/0xe8
[   17.604428][  T291]  dump_stack+0x18/0x20
[   17.604435][  T291]  __ubsan_handle_shift_out_of_bounds+0x11c/0x200
[   17.604444][  T291]  xprt_init_majortimeo+0x198/0x1c0
[   17.604452][  T291]  xprt_request_init+0x124/0x1c0
[   17.604459][  T291]  xprt_reserve+0xb4/0x110
[   17.604466][  T291]  call_reserve+0x40/0x58
[   17.604474][  T291]  __rpc_execute+0x11c/0x630
[   17.604481][  T291]  rpc_execute+0x16c/0x280
[   17.604487][  T291]  rpc_run_task+0x1ec/0x2d0
[   17.604495][  T291]  rpc_call_null_helper+0x100/0x148
[   17.604504][  T291]  rpc_ping+0x74/0xb0
[   17.604511][  T291]  rpc_create_xprt+0x198/0x200
[   17.604519][  T291]  rpc_create+0x20c/0x3d8
[   17.604526][  T291]  nfs_create_rpc_client+0x328/0x3c8
[   17.604534][  T291]  nfs_init_client+0x58/0xb8
[   17.604541][  T291]  nfs_get_client+0x230/0x290
[   17.604547][  T291]  nfs_init_server.isra.0+0x178/0x698
[   17.604554][  T291]  nfs_create_server+0xac/0x350
[   17.604561][  T291]  nfs_try_get_tree+0x6c/0xc8
[   17.604568][  T291]  nfs_get_tree+0x78/0xc8
[   17.604576][  T291]  vfs_get_tree+0x50/0x160
[   17.604584][  T291]  do_new_mount+0x224/0x428
[   17.604593][  T291]  path_mount+0x244/0xaf8
[   17.604600][  T291]  __arm64_sys_mount+0x29c/0x3b0
[   17.604608][  T291]  invoke_syscall+0x64/0x190
[   17.604616][  T291]  el0_svc_common.constprop.0+0x7c/0x140
[   17.604623][  T291]  do_el0_svc+0x38/0x50
[   17.604629][  T291]  el0_svc+0x30/0xc0
[   17.604636][  T291]  el0t_64_sync_handler+0x13c/0x160
[   17.604644][  T291]  el0t_64_sync+0x17c/0x180
[   17.604651][  T291] ---[ end trace ]---
```

Note You need to log in before you can comment on or make changes to this bug.