Xen project Mailing List

Re: [PATCH] xsm/flask: Fix undefined behaviour in avc_dump_av()

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>

Date: Sat, 2 May 2026 07:55:00 +0000

Accept-language: en-US, uk-UA, ru-RU

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XBMnCU8HRfN7uFjeSa0ezCfezBIqszeeqV7olHwkzbM=; b=NJpln+C/A8V2OTCFuWuRuNBxYnHqNWCM0yEPGypKf/hNLzSz2gSOAdemFZ78in3WoTlhmwUc5CWUUeInrqr8OWCoRCL3FVAUYnmw12nXwGpgpR3bJSY14t83WrEo681tiUvUBANnSIHY9g2nM/5hoG7mYb6ysvuvU3rI1zF/a9s5oeA3jhn1qoBaCVeGrrOQWg1zpoK5aYtAcKeCqn4nIYnyI5D/lmG6TFbDBsr4/bbDWd7WO9Fv4oq/+pcVL0oGKa2KZsDeCwkEkjP8YP5lPQDsISVx32ex6l9EbvNEtD6EMWfQJ/NWB1VxCP30/oEYSHCac0ba3eTWyuxts3et5g==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QasLJ0sAVJX0yCdy/VJO2ju4NwtMZUZCwc5GCXB7gulxgdt21NWUpdyF5JoMJXor2E+wdYC/Py9oUgK6RJdG2+Zy++O6XudhWh2gHcBd7+I3Au9T8dLsqztZY3GNSzWzUJFwsCN1cdFMbtJShcamHGa9AouRYpq6w8L1MITA/vJtNPnasoF8J4JH6j8eCihDY8VaVAJxXlSbxPa9Wuk4H0YJEZ6OxCT5YJful/RlS+sa86/ZBSANvAc1lM7cb6Wni7ABe4oyOFqLQOohqsxAjJI+0Ee9f0E1z2eqGNZcR2jYhZj0/DCNUfmLb4eLL/4rpzXAiO9QofAWkSXJ7UXLIg==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=epam.com header.i="@epam.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Sat, 02 May 2026 07:55:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHc2XU4ZcEAsUoy1EuhfVMBY8DBF7X5OliAgAEkr4A=

Thread-topic: [PATCH] xsm/flask: Fix undefined behaviour in avc_dump_av()

On 5/1/26 17:27, Andrew Cooper wrote: > On 01/05/2026 3:17 pm, Dmytro Prokopchuk1 wrote: >> When booting Xen with CONFIG_USBAN=y and CONFIG_XSM_FLASK=y, >> UBSAN reports undefined behaviour in avc_dump_av() due to a left >> shift on a signed int: >> >> (XEN) [ 1.104348] >> ================================================================================ >> (XEN) [ 1.105096] UBSAN: Undefined behaviour in xsm/flask/avc.c:184:14 >> (XEN) [ 1.106052] left shift of 1073741824 by 1 places cannot be >> represented in type 'int' >> (XEN) [ 1.107546] Xen WARN at common/ubsan/ubsan.c:176 >> (XEN) [ 1.108295] ----[ Xen-4.21.1 arm64 debug=y ubsan=y Not tainted >> ]---- >> (XEN) [ 1.108848] CPU: 0 >> (XEN) [ 1.109147] PC: 00000a00002f64fc >> ubsan.c#ubsan_epilogue+0x10/0xd4 >> [...] >> (XEN) [ 1.146320] Xen call trace: >> (XEN) [ 1.146663] [<00000a00002f64fc>] >> ubsan.c#ubsan_epilogue+0x10/0xd4 (PC) >> (XEN) [ 1.147227] [<00000a00002f7bc4>] >> __ubsan_handle_shift_out_of_bounds+0x1a0/0x290 (LR) >> (XEN) [ 1.147868] >> (XEN) [ 1.148177] >> ================================================================================ >> >> This can be solved by making 'perm' an unsigned 32-bit type (u32). >> >> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@xxxxxxxx> >> --- >> Test CI pipeline: >> https://gitlab.com/xen-project/people/dimaprkp4k/xen/-/pipelines/2493649109 >> --- >> xen/xsm/flask/avc.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c >> index 3d39e55cae..9c3ffdc070 100644 >> --- a/xen/xsm/flask/avc.c >> +++ b/xen/xsm/flask/avc.c >> @@ -152,7 +152,8 @@ static void __attribute__ ((format (printf, 2, 3))) >> */ >> static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av) >> { >> - int i, i2, perm; >> + int i, i2; >> + u32 perm; >> >> if ( av == 0 ) >> { > > The fix is fine, but wants to be uint32_t. (The existing code is > already inconsistent, and wants fixing up towards Xen's preferred style.) > > Can be fixed on commit. > > ~Andrew Hello, I'm fine with that. Thanks, Dmytro.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.