Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp1294363img; Tue, 26 Feb 2019 18:38:52 -0800 (PST) X-Google-Smtp-Source: AHgI3IZz+ZF0XcE41z9vgmcD5sX1R303PnTQLna0BQQqp/97D7nw0V5sYocSLmZrnMRSPxFi/MKL X-Received: by 2002:aa7:8059:: with SMTP id y25mr29013853pfm.74.1551235131927; Tue, 26 Feb 2019 18:38:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551235131; cv=none; d=google.com; s=arc-20160816; b=DfSJg7bKqe6aLUCwLW5L38gcBFkSUUHaqv0uswQ3S2Ne+WyLl4UJSa646MuZAxVNgh CgjYHEFWIIyS+J8xiKR8srYJN4W6vH0HLKCETjh2z5uZxF+mbNKBM4pVpTVLXWsHr0G9 6D9Y0IkoJKbjEi4iM5facYSCYbUrDLAz4G7jzlA/R3GkDbW5fZucwnLgKo9DvT8j1jSV I6hTdd/IzDnyuOpGYlz2GESwk/2SlxRednuwaxyTUqt3SY0aQDZhRX7ZF3i6WrxX6Vbk L3TgWoX1hVcD5pfA/9klN6OxBJxonYefWnyWWbisegdMEUokWXFRbm4Z5mY9pJ3ElWW5 iMIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HY2Kcq8jzF4/oZcS7u/BPoovRBNx3+sI7Sf8FjSx7xg=; b=udzfY1KB+H+MpTQriP36thlC2nCF2nFGtIBGRuJazV7+xJBRMVV92hl07nQ0xwM0Af NTlX5hUmdG2M1KIeBFaGtjSJO4RDEIKQ8JXXCxWZw1v4SqzrtK3lrlLu9Dlx1EYa5bi0 MoILtZBIxmo+xR/LR+TNcAQujEwH6cNwHLbrQOxcN0uMqmGUpIfOlM1i84bSuBZOQgI+ +2LPyLgc9PWu1UUaDR/+q4qe8KH1vVP/jIlXJYHVkyMrTKUWHVP135taQQW4KfI+rraB TooR+zFMySR4w2rbgQaDvxUicdzCoqZKY65JR9SsrbDx97zrbFedFHL1RW2WZmvEIWc3 3vkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RGofCmIi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s10si13636937pgk.450.2019.02.26.18.38.37; Tue, 26 Feb 2019 18:38:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RGofCmIi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729482AbfB0CiQ (ORCPT + 99 others); Tue, 26 Feb 2019 21:38:16 -0500 Received: from mail-it1-f193.google.com ([209.85.166.193]:33739 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729276AbfB0CiP (ORCPT ); Tue, 26 Feb 2019 21:38:15 -0500 Received: by mail-it1-f193.google.com with SMTP id f186so3993079ita.0 for ; Tue, 26 Feb 2019 18:38:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HY2Kcq8jzF4/oZcS7u/BPoovRBNx3+sI7Sf8FjSx7xg=; b=RGofCmIiimiCFUdsn6EnEgTIS8DuSuhD+x6v2vOeY3m6rwmxnWu7FVhyqJ1bcjBPHU jau7tG/Ixzn4KMCvKcMCH1m9QK2VrnBH2NRDEGfjgGeViHDNynpwiT2phwC+3eFOmSfD TQ+kTbN5ngKYlZoWyxOZZ7B6LIgjLdNTc4Hl8k6A8szEpjdYBYdIasKUx09xWBg2AOL0 osF4bsOJaPsTfe1KPS/+oNFV4gm+M34ospccr1gjGDhGPNHKMEZLciqRwH+dcDZZwpgQ WhcFDsS1d9ZFTendrb1yIwp1zIfQQ6fDR/KrDAgegZw4BpMC9xMSFvw9Ua80/XGE0Wu3 9jWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HY2Kcq8jzF4/oZcS7u/BPoovRBNx3+sI7Sf8FjSx7xg=; b=nW9mMKfycpa7Tl3IQxA3UPCSMtcVTDVdaqhAkLGw3W8nNRpG4LqisIlzSL059cvK2Y UdqkOlHej++Nxm0Giq+7sIsYeyLpTGXsLhDALdyUXyDExL8E43EagcdItpUDuFEbcNBu Q8FFR1GcGLcS2KBAFK2pcBUbjw8UcFod4KIPCa35b7EuHxzlEJS7SiAcZ3hp+O7rQY3x VVjRq+zaHOmNx6TjyZCZWikhKh26abaDmR9oOmSB+HGVLdpOWGrplc6gVdrbzUMvWu0s 1rsj4sAraY4p3m0szNiMiJsir+GBiq2irE2/B90ugcg/XHJLJ7SeQwLwRWPDh5nf4yJU sNiw== X-Gm-Message-State: APjAAAUrE8sjXA4ZuA7CSe/DascAX3io2jsG9Owrp6/iozuoVoOSWt0n oDUFeTk1KVR2BRyvfRS8x2+pimO3Z8AWUHuBAEU= X-Received: by 2002:a24:54c5:: with SMTP id t188mr189272ita.58.1551235094230; Tue, 26 Feb 2019 18:38:14 -0800 (PST) MIME-Version: 1.0 References: <1551233212-42022-1-git-send-email-wangxiongfeng2@huawei.com> In-Reply-To: <1551233212-42022-1-git-send-email-wangxiongfeng2@huawei.com> From: Deepa Dinamani Date: Tue, 26 Feb 2019 18:38:03 -0800 Message-ID: Subject: Re: [RFC PATCH] posix-cpu-timers: Avoid undefined behaviour in timespec64_to_ns() To: Xiongfeng Wang Cc: Thomas Gleixner , Arnd Bergmann , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 26, 2019 at 6:07 PM Xiongfeng Wang wrote: > > When I ran Syzkaller testsuite, I got the following call trace. > ================================================================================ > UBSAN: Undefined behaviour in ./include/linux/time64.h:120:27 > signed integer overflow: > 8243129037239968815 * 1000000000 cannot be represented in type 'long long int' > CPU: 5 PID: 28854 Comm: syz-executor.1 Not tainted 4.19.24 #4 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > ubsan_epilogue+0xe/0x81 lib/ubsan.c:159 > handle_overflow+0x193/0x1e2 lib/ubsan.c:190 > timespec64_to_ns include/linux/time64.h:120 [inline] > posix_cpu_timer_set+0x95a/0xb70 kernel/time/posix-cpu-timers.c:687 > do_timer_settime+0x198/0x2a0 kernel/time/posix-timers.c:892 > __do_sys_timer_settime kernel/time/posix-timers.c:918 [inline] > __se_sys_timer_settime kernel/time/posix-timers.c:904 [inline] > __x64_sys_timer_settime+0x18d/0x260 kernel/time/posix-timers.c:904 > do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x462eb9 > Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f14e4127c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000df > RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462eb9 > RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f14e41286bc > R13: 00000000004c54cc R14: 0000000000704278 R15: 00000000ffffffff > ================================================================================ > > This patch use 'timespec64_to_ktime()' to limit 'tv_sec' to avoid > overflow. > > Signed-off-by: Xiongfeng Wang > --- > kernel/time/posix-cpu-timers.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c > index 80f9552..f7e3929 100644 > --- a/kernel/time/posix-cpu-timers.c > +++ b/kernel/time/posix-cpu-timers.c > @@ -684,7 +684,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags, > * Install the new reload setting, and > * set up the signal and overrun bookkeeping. > */ > - timer->it.cpu.incr = timespec64_to_ns(&new->it_interval); > + timer->it.cpu.incr = ktime_to_ns(timespec64_to_ktime(new->it_interval)); > timer->it_interval = ns_to_ktime(timer->it.cpu.incr); > > /* This seems like a similar bug as the other one https://lkml.org/lkml/2019/2/24/214. Maybe it makes sense here also to do some bounds checking when we get the userspace parameter. This patch just saturates the value. -Deepa