CVS commit: src/sys/kern

Sun, 26 Jun 2022 15:29:57 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Sun Jun 26 22:31:58 UTC 2022

Modified Files:
        src/sys/kern: kern_time.c

Log Message:
setitimer(2): Guard against overflow in arithmetic.

Reported-by: syzbot+6036bc8b6d2b963e3...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.214 -r1.215 src/sys/kern/kern_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/kern_time.c
diff -u src/sys/kern/kern_time.c:1.214 src/sys/kern/kern_time.c:1.215
--- src/sys/kern/kern_time.c:1.214	Sun May 15 16:20:10 2022
+++ src/sys/kern/kern_time.c	Sun Jun 26 22:31:58 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_time.c,v 1.214 2022/05/15 16:20:10 riastradh Exp $	*/
+/*	$NetBSD: kern_time.c,v 1.215 2022/06/26 22:31:58 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009, 2020
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.214 2022/05/15 16:20:10 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.215 2022/06/26 22:31:58 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/resourcevar.h>
@@ -1681,17 +1681,26 @@ dosetitimer(struct proc *p, int which, s
 	TIMEVAL_TO_TIMESPEC(&itvp->it_value, &it->it_time.it_value);
 	TIMEVAL_TO_TIMESPEC(&itvp->it_interval, &it->it_time.it_interval);
 
+	error = 0;
 	if (timespecisset(&it->it_time.it_value)) {
 		/* Convert to absolute time */
 		/* XXX need to wrap in splclock for timecounters case? */
 		switch (which) {
 		case ITIMER_REAL:
 			getnanotime(&now);
+			if (!timespecaddok(&it->it_time.it_value, &now)) {
+				error = EINVAL;
+				goto out;
+			}
 			timespecadd(&it->it_time.it_value, &now,
 			    &it->it_time.it_value);
 			break;
 		case ITIMER_MONOTONIC:
 			getnanouptime(&now);
+			if (!timespecaddok(&it->it_time.it_value, &now)) {
+				error = EINVAL;
+				goto out;
+			}
 			timespecadd(&it->it_time.it_value, &now,
 			    &it->it_time.it_value);
 			break;
@@ -1699,17 +1708,19 @@ dosetitimer(struct proc *p, int which, s
 			break;
 		}
 	}
+
 	error = itimer_settime(it);
 	if (error == ERESTART) {
 		KASSERT(!CLOCK_VIRTUAL_P(it->it_clockid));
 		goto restart;
 	}
 	KASSERT(error == 0);
+out:
 	itimer_unlock();
 	if (spare != NULL)
 		kmem_free(spare, sizeof(*spare));
 
-	return (0);
+	return error;
 }
 
 /*

Reply via email to