Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752978AbdLMNnx (ORCPT <rfc822;w@1wt.eu>);
        Wed, 13 Dec 2017 08:43:53 -0500
Received: from szxga04-in.huawei.com ([45.249.212.190]:11937 "EHLO
        szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752175AbdLMNnu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Dec 2017 08:43:50 -0500
From: Zhen Lei <thunder.leizhen@huawei.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
        Benjamin LaHaise <bcrl@kvack.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-aio <linux-aio@kvack.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
CC: Tianhong Ding <dingtianhong@huawei.com>,
        Hanjun Guo <guohanjun@huawei.com>, Libin <huawei.libin@huawei.com>,
        Kefeng Wang <wangkefeng.wang@huawei.com>,
        Zhen Lei <thunder.leizhen@huawei.com>
Subject: [PATCH 1/1] aio: make sure the input "timeout" value is valid
Date: Wed, 13 Dec 2017 21:42:52 +0800
Message-ID: <1513172572-16724-1-git-send-email-thunder.leizhen@huawei.com>
X-Mailer: git-send-email 1.9.5.msysgit.0
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.177.23.164]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
        refid=str=0001.0A090206.5A312E93.001D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
        ip=0.0.0.0,
        so=2014-11-16 11:51:01,
        dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: c8339fb01a2ee3251112e0c9ad1dec3e
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1305
Lines: 43

Below information is reported by a lower kernel version, and I saw the
problem still exist in current version.

UBSAN: Undefined behaviour in include/linux/ktime.h:55:34
signed integer overflow:
-4971973988617027584 * 1000000000 cannot be represented in type 'long int'
......
[<ffff80000072ca28>] timespec_to_ktime include/linux/ktime.h:55 [inline]
[<ffff80000072ca28>] read_events+0x4c8/0x5d0 fs/aio.c:1269
[<ffff8000007305bc>] SYSC_io_getevents fs/aio.c:1733 [inline]
[<ffff8000007305bc>] SyS_io_getevents+0xd4/0x218 fs/aio.c:1722

Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
---
 fs/aio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/aio.c b/fs/aio.c
index a062d75..19f7661 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1858,6 +1858,9 @@ static long do_io_getevents(aio_context_t ctx_id,
 	if (timeout) {
 		if (unlikely(get_timespec64(&ts, timeout)))
 			return -EFAULT;
+
+		if (!timespec64_valid(&ts))
+			return -EINVAL;
 	}

 	return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &ts : NULL);
@@ -1876,6 +1879,8 @@ static long do_io_getevents(aio_context_t ctx_id,
 		if (compat_get_timespec64(&t, timeout))
 			return -EFAULT;

+		if (!timespec64_valid(&t))
+			return -EINVAL;
 	}

 	return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &t : NULL);
--
1.8.3