Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid signed integer overflow in ts2timo() for ts->tv_nsec 

The condition would be rechecked later again after subtracting start time
and most invalid inputs rejected. In corner cases the current code can
accept certain invalid inputs that will pass checks later and behave like
valid ones (due to signed integer overflow).

Reported-by: syzbot+3a4a07b62558bbbd3baa@syzkaller.appspotmail.com
This commit is contained in:
kamil 2019-10-04 14:17:07 +00:00
parent 6b43361992
commit ffd5d3e30b
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/kern/subr_time.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $ */ /* $NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $ */
/* /*
* Copyright (c) 1982, 1986, 1989, 1993 * Copyright (c) 1982, 1986, 1989, 1993
@ -33,7 +33,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $"); __KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $");
#include <sys/param.h> #include <sys/param.h>
#include <sys/kernel.h> #include <sys/kernel.h>
@ -329,6 +329,9 @@ ts2timo(clockid_t clock_id, int flags, struct timespec *ts,
int error; int error;
struct timespec tsd; struct timespec tsd;
if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000L)
return EINVAL;
flags &= TIMER_ABSTIME; flags &= TIMER_ABSTIME;
if (start == NULL) if (start == NULL)
start = &tsd; start = &tsd;