[src/trunk]: src/sys/kern kern: Fix fencepost error in ts2timo overflow checks.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5edbcd8a69dd
branches:  trunk
changeset: 363491:5edbcd8a69dd
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Mar 13 17:52:45 2022 +0000

description:
kern: Fix fencepost error in ts2timo overflow checks.

Triggered by

clock_settime({.tv_sec=0, .tv_nsec=0})
clock_nanosleep({.tv_sec=LLONG_MIN, .tv_nsec=0})

so that, by the time we enter ts2timo (after a few nanoseconds have
passed), we end up with

tsd = {.tv_sec=0, .tv_nsec=nonzero}
ts = {.tv_sec=LLONG_MIN, .tv_nsec=0}

and the subtraction ts - tsd leads to a borrow from tv_sec.

Reported-by: syzbot+14818113e9d0b45bca64%syzkaller.appspotmail.com@localhost

diffstat:

 sys/kern/subr_time.c |  13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diffs (34 lines):

diff -r 521bfa489197 -r 5edbcd8a69dd sys/kern/subr_time.c
--- a/sys/kern/subr_time.c      Sun Mar 13 17:50:54 2022 +0000
+++ b/sys/kern/subr_time.c      Sun Mar 13 17:52:45 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: subr_time.c,v 1.31 2021/09/21 14:55:14 christos Exp $  */
+/*     $NetBSD: subr_time.c,v 1.32 2022/03/13 17:52:45 riastradh Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.31 2021/09/21 14:55:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.32 2022/03/13 17:52:45 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -341,8 +341,13 @@
        }
 
        if ((flags & TIMER_ABSTIME) != 0) {
-               if ((tsd.tv_sec > 0 && ts->tv_sec < LLONG_MIN + tsd.tv_sec) ||
-                   (tsd.tv_sec < 0 && ts->tv_sec > LLONG_MAX + tsd.tv_sec))
+               /*
+                * Add one to the bound to account for possible carry
+                * from tv_nsec in timespecsub.
+                */
+               if (tsd.tv_sec > 0 && ts->tv_sec < LLONG_MIN + tsd.tv_sec + 1)
+                       return EINVAL;
+               if (tsd.tv_sec < 0 && ts->tv_sec > LLONG_MAX + tsd.tv_sec - 1)
                        return EINVAL;
                timespecsub(ts, &tsd, ts);
        }