[LU-17517] shift exponent 65 is too large for 64-bit type in lov_request.c Created: 08/Feb/24  Updated: 09/Feb/24

Status: Open
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.15.4
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Åke Sandgren Assignee: WC Triage
Resolution: Unresolved Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

One of our clients just gave us this:

[  201.440391] UBSAN: shift-out-of-bounds in /var/lib/dkms/lustre-client-modules/2.15.4-hpc2n0.2/build/lustre/lov/lov_request.c:230:23
[  201.452215] shift exponent 65 is too large for 64-bit type 'long long unsigned int'
[  201.460108] ================================================================================
[  201.468547] ================================================================================
[  201.476985] UBSAN: shift-out-of-bounds in /var/lib/dkms/lustre-client-modules/2.15.4-hpc2n0.2/build/lustre/lov/lov_request.c:231:23
[  201.488810] shift exponent 65 is too large for 64-bit type 'long long unsigned int'
[  201.496944] ================================================================================
[  201.505378] ================================================================================
[  201.513819] UBSAN: shift-out-of-bounds in /var/lib/dkms/lustre-client-modules/2.15.4-hpc2n0.2/build/lustre/lov/lov_request.c:232:23
[  201.525642] shift exponent 65 is too large for 64-bit type 'long long unsigned int'

 

 Comments   
Comment by Tim Day [ 09/Feb/24 ]

Seems like in `lov_update_statfs()`, the logic

 200                         for (shift = 0; shift <= 64; ++shift) {
 201                                 if (tmp & 1) {
 202                                         if (quit)
 203                                                 break;
 204                                         quit = 1;
 205                                         shift = 0;
  206                                                              }
 207                                 tmp >>= 1;
  208                                              }

is wrong. If we finish the loop without breaking, `shift` will be 65. I think if `shift` is 64, that's also undefined behavior. It'd have to be capped at 63.

Generated at Sat Feb 10 03:36:05 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.