Skip to content

Commit

Permalink
Avoid signed integer overflow in ts2timo() for ts->tv_nsec
Browse files Browse the repository at this point in the history 
The condition would be rechecked later again after subtracting start time
and most invalid inputs rejected. In corner cases the current code can
accept certain invalid inputs that will pass checks later and behave like
valid ones (due to signed integer overflow).

Reported-by: syzbot+3a4a07b62558bbbd3baa@syzkaller.appspotmail.com
  • Loading branch information
@krytarowski
krytarowski committed Oct 4, 2019
1 parent 6b43361 commit ffd5d3e
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions sys/kern/subr_time.c
View file
@@ -1,4 +1,4 @@
/* $NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $ */
/* $NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $ */

/*
* Copyright (c) 1982, 1986, 1989, 1993
Expand Down Expand Up @@ -33,7 +33,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $");

#include <sys/param.h>
#include <sys/kernel.h>
Expand Down Expand Up @@ -329,6 +329,9 @@ ts2timo(clockid_t clock_id, int flags, struct timespec *ts,
int error;
struct timespec tsd;

if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000L)
return EINVAL;

flags &= TIMER_ABSTIME;
if (start == NULL)
start = &tsd;
Expand Down

0 comments on commit ffd5d3e

Please sign in to comment.