Bug 197301
| Summary: | ./include/linux/time.h Integer Overflow | ||
|---|---|---|---|
| Product: | Timers | Reporter: | Pedro S Bap (pedbap.g) |
| Component: | Other | Assignee: | john stultz (john.stultz) |
| Status: | NEW --- | ||
| Severity: | high | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | Latest | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | Proof-of-Concept file | ||
In order to reproduce the ubsan log, run strace ./poc |
Created attachment 260249 [details] Proof-of-Concept file Integer overflow on ./include/linux/time.h - attached you can find the PoC file. Ubsan log: ================================================================================ UBSAN: Undefined behaviour in ./include/linux/time.h:244:27 signed integer overflow: 35184372088832 * 1000000000 cannot be represented in type 'long int' CPU: 1 PID: 1986 Comm: syz-executor Not tainted 4.8.17 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014 0000000000000000 000000000e42994e ffff8800580dfa68 ffffffff8214c158 0000000041b58ab3 ffffffff83a85d08 ffffffff8214c080 ffff8800580dfa90 ffff8800580dfa30 000000000e42994e ffffffff842513e0 ffff8800580dfb68 Call Trace: [<ffffffff8214c158>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff8214c158>] dump_stack+0xd8/0x140 lib/dump_stack.c:51 [<ffffffff82235877>] ubsan_epilogue+0x12/0x86 lib/ubsan.c:164 [<ffffffff822373a6>] handle_overflow+0x234/0x28e lib/ubsan.c:195 [<ffffffff8223748c>] __ubsan_handle_mul_overflow+0x2a/0x3e lib/ubsan.c:219 [<ffffffff81520b5e>] timeval_to_ns include/linux/time.h:244 [inline] [<ffffffff81520b5e>] set_cpu_itimer+0x82e/0xa50 kernel/time/itimer.c:155 [<ffffffff8152148a>] do_setitimer+0x13a/0x8e0 kernel/time/itimer.c:233 [<ffffffff81521e7b>] SYSC_setitimer kernel/time/itimer.c:294 [inline] [<ffffffff81521e7b>] SyS_setitimer+0xfb/0x260 kernel/time/itimer.c:278 [<ffffffff83362cb6>] entry_SYSCALL_64_fastpath+0x1e/0xa8