When covert the usec to nsec, it will multiple 1000, it maybe overflow and lead an undefined behavior.
For example, users may input an negative tv_usec values when call adjtimex syscall, then multiple 1000 maybe overflow it to a positive and legal number. So, we should validate the usec before coverted it to nsec. Signed-off-by: ZhangXiaoxu <zhangxiao...@huawei.com> --- kernel/time/timekeeping.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 44b726b..778796d 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -2321,6 +2321,9 @@ int do_adjtimex(struct __kernel_timex *txc) if (txc->modes & ADJ_SETOFFSET) { struct timespec64 delta; + + if (txc->time.tv_usec < 0 || txc->time.tv_usec >= USEC_PER_SEC) + return -EINVAL; delta.tv_sec = txc->time.tv_sec; delta.tv_nsec = txc->time.tv_usec; if (!(txc->modes & ADJ_NANO)) -- 2.7.4