Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern Avoid signed integer overflow in ts2timo() for ts->...



details:   https://anonhg.NetBSD.org/src/rev/1bc4c0fbaaa6
branches:  trunk
changeset: 1003916:1bc4c0fbaaa6
user:      kamil <kamil%NetBSD.org@localhost>
date:      Fri Oct 04 14:17:07 2019 +0000

description:
Avoid signed integer overflow in ts2timo() for ts->tv_nsec

The condition would be rechecked later again after subtracting start time
and most invalid inputs rejected. In corner cases the current code can
accept certain invalid inputs that will pass checks later and behave like
valid ones (due to signed integer overflow).

Reported-by: syzbot+3a4a07b62558bbbd3baa%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/subr_time.c |  7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diffs (28 lines):

diff -r 915bc4abe8db -r 1bc4c0fbaaa6 sys/kern/subr_time.c
--- a/sys/kern/subr_time.c      Fri Oct 04 12:46:43 2019 +0000
+++ b/sys/kern/subr_time.c      Fri Oct 04 14:17:07 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $  */
+/*     $NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $     */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -329,6 +329,9 @@
        int error;
        struct timespec tsd;
 
+       if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000L)
+               return EINVAL;
+
        flags &= TIMER_ABSTIME;
        if (start == NULL)
                start = &tsd;



Home | Main Index | Thread Index | Old Index