UBSAN: shift-out-of-bounds in intel_pmu

UBSAN: shift-out-of-bounds in intel_pmu_refresh
Status: fixed on 2021/03/10 01:48
Reported-by: syzbot+ae488dc136a4cc6ba32b@syzkaller.appspotmail.com
Fix commit: e61ab2a320c3 KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh()
First crash: 362d, last: 310d

Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

Linux 5.3

Crash: UBSAN: undefined-behaviour in intel_pmu_refresh (log)
Repro: C syz .config

Sample crash report:

================================================================================
UBSAN: shift-out-of-bounds in arch/x86/kvm/vmx/pmu_intel.c:348:45
shift exponent 197 is too large for 64-bit type 'long long unsigned int'
CPU: 1 PID: 8490 Comm: syz-executor977 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 intel_pmu_refresh.cold+0x75/0x99 arch/x86/kvm/vmx/pmu_intel.c:348
 kvm_vcpu_after_set_cpuid+0x65a/0xf80 arch/x86/kvm/cpuid.c:178
 kvm_vcpu_ioctl_set_cpuid2+0x160/0x440 arch/x86/kvm/cpuid.c:309
 kvm_arch_vcpu_ioctl+0x1249/0x2d30 arch/x86/kvm/x86.c:4748
 kvm_vcpu_ioctl+0x7b9/0xd90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3434
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4480a9
Code: e8 9c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0646930d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006ddc68 RCX: 00000000004480a9
RDX: 0000000020000480 RSI: 000000004008ae90 RDI: 0000000000000008
RBP: 00000000006ddc60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc6c
R13: ddd82e0065000000 R14: 099a300f0078010f R15: 2e320fc0000080b9
================================================================================

Crashes (1237):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/01/18 05:52	upstream	a1339d6355ac	fd103621	.config	log	report	syz	C		UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2020/12/08 07:13	linux-next	15ac8fdb7440	51a9082e	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2021/01/27 06:30	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/27 04:56	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/27 02:23	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/27 00:07	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/27 00:00	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/26 14:26	upstream	13391c60da33	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/26 13:13	upstream	13391c60da33	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/26 07:47	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-selinux-root	2021/01/26 07:06	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/26 04:38	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/25 23:54	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/25 20:32	upstream	6ee1d745b7c9	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/25 18:30	upstream	6ee1d745b7c9	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/25 11:37	upstream	6ee1d745b7c9	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/25 03:39	upstream	e68061375f79	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/24 22:01	upstream	e68061375f79	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/24 17:58	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/24 12:50	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/24 10:56	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/24 06:47	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/24 02:42	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/24 01:40	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/23 22:56	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/23 21:13	upstream	fe75a21824e7	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/23 18:56	upstream	fe75a21824e7	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/23 18:32	upstream	fe75a21824e7	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/23 10:04	upstream	fe75a21824e7	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-selinux-root	2021/01/23 06:21	upstream	83d09ad4b950	4080af96	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-selinux-root	2021/01/23 02:05	upstream	83d09ad4b950	4080af96	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce	2021/01/22 20:26	upstream	83d09ad4b950	4080af96	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/26 18:39	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/26 16:55	upstream	13391c60da33	55a7d4df	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/26 06:04	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/26 01:06	upstream	f8ad8187c3b5	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/24 23:43	upstream	e68061375f79	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/24 08:38	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/24 00:36	upstream	e1ae4b0be158	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/22 21:29	upstream	83d09ad4b950	4080af96	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-386	2021/01/22 14:50	upstream	9f29bd8b2e71	d4f4eca5	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/28 04:25	linux-next	bc085f8fc88f	eefc07f2	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/27 23:05	linux-next	bc085f8fc88f	eefc07f2	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/27 16:17	linux-next	bc085f8fc88f	a0ebf917	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/27 13:42	linux-next	bc085f8fc88f	a0ebf917	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/26 11:28	linux-next	bc085f8fc88f	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/26 11:20	linux-next	bc085f8fc88f	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/26 09:45	linux-next	bc085f8fc88f	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/24 20:16	linux-next	bc085f8fc88f	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-linux-next-kasan-gce-root	2021/01/23 07:51	linux-next	bc085f8fc88f	52e37319	.config	log	report			info	UBSAN: shift-out-of-bounds in intel_pmu_refresh
ci-upstream-kasan-gce-smack-root	2021/01/17 13:51	upstream	0da0a8a0a0e1	813be542	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/12/07 12:15	linux-next	15ac8fdb7440	1190297f	.config	log	report			info