From patchwork Wed Dec 13 13:42:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhen Lei X-Patchwork-Id: 121772 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp5490296qgn; Wed, 13 Dec 2017 05:43:57 -0800 (PST) X-Google-Smtp-Source: ACJfBosUjNmI1hNw3vXSMOGNkE2tYvCm5cxHJ7YbLBoRB15NhVcczyFF5Ks+ETLmBHq14T8oJumv X-Received: by 10.99.114.30 with SMTP id n30mr5362425pgc.129.1513172636769; Wed, 13 Dec 2017 05:43:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1513172636; cv=none; d=google.com; s=arc-20160816; b=h/fMiSF5XF2mf6FscIwAGC8MO2gwqqKgjQjpwT+mNMySgwDuNHHM/wZM7oplvBtDOV Nx3qCl75ijgACRErtdlUHVovFpn3b/fR3OKJG1tFU4hceJTf09LNfryJvQjCDdYKyV5j M845CMcrxCUIwLS+Kk+gttyKWjDVi+SCbp3pZfywh4j8orf7eSUQhbtUv6T8D1HoN0+e u0z8pX4xcJOzbMqiTNjybRWvKLuW87mfLFm7dXsOyU40oAFGswhH22DWsz6goF6Uk9Id 8uHTV0VvtDOGt/nXr0P+63LP8mT0euCb8iQRyKN8BkNcooOPuNmw0PyczXlz0htE01w4 95TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=TEVLs0gRGn2PT95QFXn32OvBHJBK3y3PbAIp4q/987E=; b=wily6VbwJLddkRru9QacTcg652Mg40vRBWBU+8y75VKv3VeE3r85z02ttFWsMPZkrS tMtEqADlKfGLjVoShDjv53BtkF+zofOH5HA0dbMYXQ2cxrt4/fQyAzGvCsPxSE8gVFFV 5zrDMU84YnIydXbJLX5P49E8iRiCLfheEoRbj3CGtvSYD0bRGRo4Mhd2BEqqcNZZG4CC rEGOcemb1oscaQ9oFKWqM0GDu7C4zCe1DGNT/CCnNtjTjTamAQ8gD8X3tPJDLqPj9ejQ bJhBN082WYdErMVDYNyMxvJDVKgrPNVfT1JWQhBKzPS42cBYFOj9Ef8QhjihvQj26EWm 6bbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u17si1407073plj.56.2017.12.13.05.43.56; Wed, 13 Dec 2017 05:43:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752978AbdLMNnx (ORCPT + 10 others); Wed, 13 Dec 2017 08:43:53 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:11937 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752175AbdLMNnu (ORCPT ); Wed, 13 Dec 2017 08:43:50 -0500 Received: from 172.30.72.60 (EHLO DGGEMS413-HUB.china.huawei.com) ([172.30.72.60]) by dggrg04-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id DLZ78955; Wed, 13 Dec 2017 21:43:46 +0800 (CST) Received: from localhost (10.177.23.164) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.361.1; Wed, 13 Dec 2017 21:43:36 +0800 From: Zhen Lei To: Alexander Viro , Benjamin LaHaise , linux-fsdevel , linux-aio , linux-kernel CC: Tianhong Ding , Hanjun Guo , Libin , Kefeng Wang , Zhen Lei Subject: [PATCH 1/1] aio: make sure the input "timeout" value is valid Date: Wed, 13 Dec 2017 21:42:52 +0800 Message-ID: <1513172572-16724-1-git-send-email-thunder.leizhen@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.177.23.164] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090206.5A312E93.001D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: c8339fb01a2ee3251112e0c9ad1dec3e Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Below information is reported by a lower kernel version, and I saw the problem still exist in current version. UBSAN: Undefined behaviour in include/linux/ktime.h:55:34 signed integer overflow: -4971973988617027584 * 1000000000 cannot be represented in type 'long int' ...... [] timespec_to_ktime include/linux/ktime.h:55 [inline] [] read_events+0x4c8/0x5d0 fs/aio.c:1269 [] SYSC_io_getevents fs/aio.c:1733 [inline] [] SyS_io_getevents+0xd4/0x218 fs/aio.c:1722 Signed-off-by: Zhen Lei --- fs/aio.c | 5 +++++ 1 file changed, 5 insertions(+) -- 1.8.3 Acked-by: Benjamin LaHaise diff --git a/fs/aio.c b/fs/aio.c index a062d75..19f7661 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1858,6 +1858,9 @@ static long do_io_getevents(aio_context_t ctx_id, if (timeout) { if (unlikely(get_timespec64(&ts, timeout))) return -EFAULT; + + if (!timespec64_valid(&ts)) + return -EINVAL; } return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &ts : NULL); @@ -1876,6 +1879,8 @@ static long do_io_getevents(aio_context_t ctx_id, if (compat_get_timespec64(&t, timeout)) return -EFAULT; + if (!timespec64_valid(&t)) + return -EINVAL; } return do_io_getevents(ctx_id, min_nr, nr, events, timeout ? &t : NULL);