[PATCH AUTOSEL 3.18 12/29] alarmtimer: Prevent overflow for relative nanosleep

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	John Stultz <john.stultz@linaro.org>,
	Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 3.18 12/29] alarmtimer: Prevent overflow for relative nanosleep
Date: Mon, 17 Sep 2018 03:05:44 +0000	[thread overview]
Message-ID: <20180917030533.592-12-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180917030533.592-1-alexander.levin@microsoft.com>

From: Thomas Gleixner <tglx@linutronix.de>

[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ]

Air Icy reported:

  UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7
  signed integer overflow:
  1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int'
  Call Trace:
   alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811
   __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline]
   __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline]
   __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213
   do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290

alarm_timer_nsleep() uses ktime_add() to add the current time and the
relative expiry value. ktime_add() has no sanity checks so the addition
can overflow when the relative timeout is large enough.

Use ktime_add_safe() which has the necessary sanity checks in place and
limits the result to the valid range.

Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
Reported-by: Team OWL337 <icytxw@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 kernel/time/alarmtimer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 119847b93ba6..0436d5edbccf 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -776,7 +776,8 @@ static int alarm_timer_nsleep(const clockid_t which_clock, int flags,
 	/* Convert (if necessary) to absolute time */
 	if (flags != TIMER_ABSTIME) {
 		ktime_t now = alarm_bases[type].gettime();
-		exp = ktime_add(now, exp);
+
+		exp = ktime_add_safe(now, exp);
 	}
 
 	if (alarmtimer_do_nsleep(&alarm, exp))
-- 
2.17.1

next prev parent reply	other threads:[~2018-09-17  8:33 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-17  3:05 [PATCH AUTOSEL 3.18 01/29] crypto: skcipher - Fix -Wstringop-truncation warnings Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 02/29] tsl2550: fix lux1_input error in low light Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 03/29] x86/numa_emulation: Fix emulated-to-physical node mapping Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 05/29] USB: serial: kobil_sct: fix modem-status error handling Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 04/29] uwb: hwa-rc: fix memory leak at probe Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 07/29] powerpc/kdump: Handle crashkernel memory reservation failure Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 06/29] media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 08/29] x86/tsc: Add missing header to tsc_msr.c Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 09/29] scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 10/29] scsi: ibmvscsi: Improve strings handling Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 11/29] usb: wusbcore: security: cast sizeof to int for comparison Sasha Levin
2018-09-17  3:05 ` Sasha Levin [this message]
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 13/29] s390/extmem: fix gcc 8 stringop-overflow warning Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 14/29] ALSA: snd-aoa: add of_node_put() in error path Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 15/29] media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 16/29] media: soc_camera: ov772x: correct setting of banding filter Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 18/29] drivers/tty: add error handling for pcmcia_loop_config Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 17/29] staging: android: ashmem: Fix mmap size validation Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 19/29] media: tm6000: add error handling for dvb_register_adapter Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 20/29] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 21/29] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 23/29] ARM: mvebu: declare asm symbols as character arrays in pmsu.c Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 22/29] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 24/29] HID: hid-ntrig: add error handling for sysfs_create_group Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 25/29] scsi: bnx2i: add error handling for ioremap_nocache Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 26/29] audit: Fix extended comparison of GID/EGID Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 27/29] ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 28/29] module: exclude SHN_UNDEF symbols from kallsyms api Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 29/29] nfsd: fix corrupted reply to badly ordered compound Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:119847b93ba dfblob:0436d5edbcc )
 OR (
bs:"[PATCH AUTOSEL 3.18 12/29] alarmtimer: Prevent overflow for relative nanosleep" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180917030533.592-12-alexander.levin@microsoft.com \
    --to=alexander.levin@microsoft.com \
    --cc=john.stultz@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).