[src/trunk]: src/sys/kern kern: Avoid arithmetic overflow in gettimeleft.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/kern kern: Avoid arithmetic overflow in gettimeleft.
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Tue, 28 Jun 2022 04:21:38 +0000

details:   https://anonhg.NetBSD.org/src/rev/a59ee9367f48
branches:  trunk
changeset: 368201:a59ee9367f48
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Tue Jun 28 02:04:51 2022 +0000

description:
kern: Avoid arithmetic overflow in gettimeleft.

Sprinkle assertions in to verify we're monotonically counting the
time left down to zero.

Reported-by: syzbot+5f6a6329d139810dfe3c%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/subr_time.c |  21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diffs (54 lines):

diff -r b6f8486f7ede -r a59ee9367f48 sys/kern/subr_time.c
--- a/sys/kern/subr_time.c      Tue Jun 28 01:44:19 2022 +0000
+++ b/sys/kern/subr_time.c      Tue Jun 28 02:04:51 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_time.c,v 1.34 2022/06/26 22:31:47 riastradh Exp $ */
+/*     $NetBSD: subr_time.c,v 1.35 2022/06/28 02:04:51 riastradh Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.34 2022/06/26 22:31:47 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.35 2022/06/28 02:04:51 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -207,6 +207,7 @@
        if (itimespecfix(ts)) {
                return -1;
        }
+       KASSERT(ts->tv_sec >= 0);
        getnanouptime(sleepts);
        return 0;
 }
@@ -214,15 +215,23 @@
 int
 gettimeleft(struct timespec *ts, struct timespec *sleepts)
 {
-       struct timespec sleptts;
+       struct timespec now, sleptts;
+
+       KASSERT(ts->tv_sec >= 0);
 
        /*
         * Reduce ts by elapsed time based on monotonic time scale.
         */
-       getnanouptime(&sleptts);
-       timespecadd(ts, sleepts, ts);
+       getnanouptime(&now);
+       KASSERT(timespeccmp(sleepts, &now, <=));
+       timespecsub(&now, sleepts, &sleptts);
+       *sleepts = now;
+
+       if (timespeccmp(ts, &sleptts, <=)) { /* timed out */
+               timespecclear(ts);
+               return 0;
+       }
        timespecsub(ts, &sleptts, ts);
-       *sleepts = sleptts;
 
        return tstohz(ts);
 }

Prev by Date: [src/trunk]: src/sys/netinet tcp(4): Bail early on sendoob if not connected.
Next by Date: [src/trunk]: src/sys/dev/raidframe RAIDframe must be initialized for the RAID...
Previous by Thread: [src/trunk]: src/sys/netinet tcp(4): Bail early on sendoob if not connected.
Next by Thread: [src/trunk]: src/sys/dev/raidframe RAIDframe must be initialized for the RAID...
Indexes:

Home | Main Index | Thread Index | Old Index