Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4236920imc; Mon, 25 Feb 2019 01:02:52 -0800 (PST) X-Google-Smtp-Source: AHgI3IbSG4eRjk10tU2kqQUPjpfGtMzLjQttrqdYTD/DapXi/GbP4fBL4LEFukM/lfGF5R3qksKx X-Received: by 2002:a62:e214:: with SMTP id a20mr18843201pfi.192.1551085372621; Mon, 25 Feb 2019 01:02:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551085372; cv=none; d=google.com; s=arc-20160816; b=g2/bQFFjPdC+Qeomj/AEnIbCbr33RYoXStXE8u791WMyxv0EWwWmVL0WLyw8q+65t5 QIrhSHI9OZh4hajmZi5sPOq+5HLKuNZZe/U+A+uTBYzzHEwChO5PkU/ji5QPZYhF7Kr1 IL6rxbnVr2jQCfndJVI8n1H0y+klJ/blYxvLC8qovR/iPe/5VQQtEJK0YjFWl6orx2If zrGzGDA9V1moBx2WQduuHTRWSjhGFwpBQTKt59AoyzlLOYq0TVzar/MdRJ7wwT5gTyUo boGHsigbkMFm2Tce+lw9kppmId5lsqNqBwrlDbb+lvtP/0FEPAVEOhLw2mmIDK+S7SUY h7Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=rRdZb8cJTcFYLFAEEDDZDp2BVgzzQ1jv5NyCWR1kpT4=; b=NnOihSuia1w41ZaqgUBfL7E4FPAVUtUbigZkkPqzs4YzV5xKKeNz47B73LBl64iUW6 560zK2yctzb26nBAJt95JRT0JnZ6N6o9TrsnmDw90j2dVNLD8y97XkSMLAIokcZPNbUj 3tiohrUhF2gQ2gXsExElFRdy8LPVbwxBEPuIVvJPHwQV1JyIqGUJzudjxCfRChdoyuEs wx76ger9NcCjcD2zlu8BN/34pekFGoXW/fsY9ET12OkSqGiYfYQIe4USvfFUnuRFyAip +AH6ax2A0/QCH8YS62CQpRKxKkjAkHpYleQpXeGpQl/yTl3BWcUcVa+aGsduFMO9Qke8 BjIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f131si9551432pfc.92.2019.02.25.01.02.36; Mon, 25 Feb 2019 01:02:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726420AbfBYJCE (ORCPT + 99 others); Mon, 25 Feb 2019 04:02:04 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:40225 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725863AbfBYJCE (ORCPT ); Mon, 25 Feb 2019 04:02:04 -0500 Received: by mail-qt1-f196.google.com with SMTP id j36so9572114qta.7 for ; Mon, 25 Feb 2019 01:02:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rRdZb8cJTcFYLFAEEDDZDp2BVgzzQ1jv5NyCWR1kpT4=; b=H98DuragftgiTZTHHXmEQgN7npNrLQa7AUPMH2IT0+fttr1CvmRQgy+VIxtQD3seI9 2DqH+BewGwujMjB1BodQfMV3cR8Y0KiqfVTHBeMB/6nSixhsOuqJY98w1mezA+M3WzaZ mjkj5QtNl9+GBR/ts1kMCz/lzHPx8CIjYZUz00EWUugFgzoCeyycIMBIl3pI29HOL9J/ 1qNi5E3yUlEOfgcuuoUCRgqXV0RUxm9Ym2PK74juTqgLeBgU4YyZgy65RTOZVIWyYiC/ WAHeN5CCJmL2nUbrL/Vd8ztO0KfUbr+9TjX8rJq8d9AwoTq5GeoGix+5mJ6e+7jF3rZg nz/Q== X-Gm-Message-State: AHQUAuZFQSXn8n1bkUGemyHbb7BgeIeUJu29gblLYVf7C4YpGaDKAWwQ 7IpaKOnno9+e60OqFX3k3lqCLmn9ZHjcPQ0Xpn4= X-Received: by 2002:ac8:3251:: with SMTP id y17mr7415452qta.152.1551085322843; Mon, 25 Feb 2019 01:02:02 -0800 (PST) MIME-Version: 1.0 References: <20190225032619.17070-1-yaohongbo@huawei.com> In-Reply-To: From: Arnd Bergmann Date: Mon, 25 Feb 2019 10:01:46 +0100 Message-ID: Subject: Re: [PATCH] time64: Avoid undefined behaviour in timespec64_add() To: Deepa Dinamani Cc: Hongbo Yao , Thomas Gleixner , Linux Kernel Mailing List , Linuxarm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 25, 2019 at 5:53 AM Deepa Dinamani wrote: > > On Sun, Feb 24, 2019 at 7:13 PM Hongbo Yao wrote: > > > > I ran into this: > > ========================================================================= > > UBSAN: Undefined behaviour in ./include/linux/time64.h:70:2 > > signed integer overflow: > > 1551059291 + 9223372036854775807 cannot be represented in type 'long > > long int' > > CPU: 5 PID: 20064 Comm: syz-executor.2 Not tainted 4.19.24 #4 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > > 1.10.2-1ubuntu1 04/01/2014 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > ubsan_epilogue+0xe/0x81 lib/ubsan.c:159 > > handle_overflow+0x193/0x1e2 lib/ubsan.c:190 > > timespec64_add include/linux/time64.h:70 [inline] ... > > Since lhs.tv_sec and rhs.tv_sec are both time64_t, this is a signed > > addition which will cause undefined behaviour on overflow. I wonder if we should treat this as undefined behavior in the kernel or not: The kernel is build with -fno-strict-overflow, so signed integer overflow is supposed to behave the same way as unsigned, and assume two's-complement arithmetic. > > @@ -67,7 +67,7 @@ static inline struct timespec64 timespec64_add(struct timespec64 lhs, > > struct timespec64 rhs) > > { > > struct timespec64 ts_delta; > > - set_normalized_timespec64(&ts_delta, lhs.tv_sec + rhs.tv_sec, > > + set_normalized_timespec64(&ts_delta, (timeu64_t)lhs.tv_sec + rhs.tv_sec, > > lhs.tv_nsec + rhs.tv_nsec); > > return ts_delta; > > } > > There is already a timespec64_add_safe() to account for such > overflows. That assumes both the timespec64 values are positive. > But, timekeeping_inject_offset() cannot use that as one of the values > can be negative. We could perhaps extend timespec64_add_safe() to handle both overflow and underflow, and allow negative arguments. It would have to use some extra checks then. There are actually only a very small number of callers to timespec64_add(): arch/arm/xen/enlighten.c: *ts = timespec64_add(now, ts_monotonic); arch/arm/xen/enlighten.c: system_time = timespec64_add(now, tk->wall_to_monotonic); drivers/net/ethernet/cadence/macb_ptp.c: now = timespec64_add(now, then); drivers/net/ethernet/intel/igb/igb_main.c: ts = timespec64_add(adapter->perout[0].start, drivers/net/ethernet/intel/igb/igb_main.c: ts = timespec64_add(adapter->perout[1].start, drivers/net/ethernet/intel/igb/igb_ptp.c: now = timespec64_add(now, then); fs/cifs/dfs_cache.c: return timespec64_add(now, ts); include/linux/rtc.h: *to_set = timespec64_add(*now, delay); include/linux/time64.h:static inline struct timespec64 timespec64_add(struct timespec64 lhs, kernel/time/timekeeping.c: tmp = timespec64_add(tk_xtime(tk), *ts); kernel/time/timekeeping.c: timespec64_add(timekeeping_suspend_time, delta_delta); net/ceph/messenger.c: ts = timespec64_add(con->last_keepalive_ack, ts); It looks like an actual overflow would be really bad in most of these, regardless of the undefined behavior. > Are you running some kind of a fuzzer that would cause a overflow? > You seem to be adding INT64_MAX here. Maybe the right thing to do is > to add a check at the syscall interface rather than here. Returning an error from the syscall here sounds like a good idea. I'm not sure what we should do about the time32 version of adjtimex though if we decide we want that. Should we just reject any times there that result in a time outside of the 1970..2038 range? Arnd