Skip to content

R
raspberrypi-kernel

openeuler / raspberrypi-kernel

通知 14
Star 1
Fork 0
R
raspberrypi-kernel
切换分支/标签
查找文件 Blame历史永久链接Permalink
  • H
    time64: Avoid undefined behaviour in timespec64_add() · 39cdf0d2
    Hongbo Yao 提交于 
    euler inclusion
category: bugfix
bugzilla: 10690
CVE: NA
-------------------------------------------------

I ran into this:
	=========================================================================
	UBSAN: Undefined behaviour in ./include/linux/time64.h:70:2
	signed integer overflow:
	1551059291 + 9223372036854775807 cannot be represented in type 'long
	long int'
	CPU: 5 PID: 20064 Comm: syz-executor.2 Not tainted 4.19.24 #4
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
	1.10.2-1ubuntu1 04/01/2014
	Call Trace:
	 __dump_stack lib/dump_stack.c:77 [inline]
	 dump_stack+0xca/0x13e lib/dump_stack.c:113
	 ubsan_epilogue+0xe/0x81 lib/ubsan.c:159
	 handle_overflow+0x193/0x1e2 lib/ubsan.c:190
	 timespec64_add include/linux/time64.h:70 [inline]
	 timekeeping_inject_offset+0x3ed/0x4e0 kernel/time/timekeeping.c:1301
	 do_adjtimex+0x1e5/0x6c0 kernel/time/timekeeping.c:2360
	 __do_sys_clock_adjtime+0x122/0x200 kernel/time/posix-timers.c:1086
	 do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
	RIP: 0033:0x462eb9
	Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
	f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
	f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f888aa2dc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000131
	RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9
	RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000000
	RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 00007f888aa2e6bc
	R13: 00000000004bcae8 R14: 00000000006f6868 R15: 00000000ffffffff
	==========================================================================

Since lhs.tv_sec and rhs.tv_sec are both time64_t, this is a signed
addition which will cause undefined behaviour on overflow.

The easiest way to avoid the overflow is to cast one of the arguments to
unsigned (so the addition will be done using unsigned arithmetic).
This patch doesn't change generated code.
Signed-off-by: NHongbo Yao <yaohongbo@huawei.com>
Reviewed-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
    39cdf0d2
time64.h 4.0 KB