1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
4 */
5
6 /*
7 * CVE 2018-12896
8 *
9 * Check for possible overflow of posix timer overrun counter. Create
10 * a CLOCK_REALTIME timer, set extremely low timer interval and expiration
11 * value just right to cause overrun overflow into negative values, start
12 * the timer with TIMER_ABSTIME flag to cause overruns immediately. Then just
13 * check the overrun counter in the timer signal handler. On a patched system,
14 * the value returned by timer_getoverrun() should be capped at INT_MAX and
15 * not allowed to overflow into negative range. Bug fixed in:
16 *
17 * commit 78c9c4dfbf8c04883941445a195276bb4bb92c76
18 * Author: Thomas Gleixner <tglx@linutronix.de>
19 * Date: Tue Jun 26 15:21:32 2018 +0200
20 *
21 * posix-timers: Sanitize overrun handling
22 */
23
24 #include <unistd.h>
25 #include <signal.h>
26 #include <time.h>
27 #include <limits.h>
28
29 #include "tst_test.h"
30 #include "tst_safe_clocks.h"
31
32 static timer_t timer;
33 static volatile int handler_called, overrun, saved_errno;
34
sighandler(int sig LTP_ATTRIBUTE_UNUSED)35 static void sighandler(int sig LTP_ATTRIBUTE_UNUSED)
36 {
37 struct itimerspec spec;
38
39 /*
40 * Signal handler will be called twice in total because kernel will
41 * schedule another pending signal before the timer gets disabled.
42 */
43 if (handler_called)
44 return;
45
46 errno = 0;
47 overrun = timer_getoverrun(timer);
48 saved_errno = errno;
49 memset(&spec, 0, sizeof(struct itimerspec));
50 SAFE_TIMER_SETTIME(timer, 0, &spec, NULL);
51 handler_called = 1;
52 }
53
setup(void)54 static void setup(void)
55 {
56 struct sigevent sev;
57
58 memset(&sev, 0, sizeof(struct sigevent));
59 sev.sigev_notify = SIGEV_SIGNAL;
60 sev.sigev_signo = SIGUSR1;
61
62 SAFE_SIGNAL(SIGUSR1, sighandler);
63 SAFE_TIMER_CREATE(CLOCK_REALTIME, &sev, &timer);
64 }
65
run(void)66 static void run(void)
67 {
68 int handler_delay = INT_MAX / 7;
69 long nsec;
70 struct itimerspec spec;
71
72 handler_called = 0;
73 memset(&spec, 0, sizeof(struct itimerspec));
74 SAFE_CLOCK_GETTIME(CLOCK_REALTIME, &spec.it_value);
75 nsec = (handler_delay % 100000000) * 10L;
76
77 if (nsec > spec.it_value.tv_nsec) {
78 spec.it_value.tv_sec -= 1;
79 spec.it_value.tv_nsec += 1000000000;
80 }
81
82 /* spec.it_value = now - 1.4 * max overrun value */
83 /* IOW, overflow will land right in the middle of negative range */
84 spec.it_value.tv_sec -= handler_delay / 100000000;
85 spec.it_value.tv_nsec -= nsec;
86 spec.it_interval.tv_nsec = 1;
87
88 SAFE_TIMER_SETTIME(timer, TIMER_ABSTIME, &spec, NULL);
89 while (!handler_called);
90 errno = saved_errno;
91
92 if (overrun == -1)
93 tst_brk(TBROK | TERRNO, "Error reading timer overrun count");
94
95 if (overrun == INT_MAX) {
96 tst_res(TPASS, "Timer overrun count is capped");
97 return;
98 }
99
100 if (overrun < 0) {
101 tst_res(TFAIL, "Timer overrun counter overflow");
102 return;
103 }
104
105 tst_res(TFAIL, "Timer overrun counter is wrong: %d; expected %d or "
106 "negative number", overrun, INT_MAX);
107 }
108
cleanup(void)109 static void cleanup(void)
110 {
111 SAFE_TIMER_DELETE(timer);
112 }
113
114 static struct tst_test test = {
115 .test_all = run,
116 .setup = setup,
117 .cleanup = cleanup,
118 .needs_kconfigs = (const char *[]) {
119 "CONFIG_HIGH_RES_TIMERS=y",
120 NULL
121 },
122 .tags = (const struct tst_tag[]) {
123 {"linux-git", "78c9c4dfbf8c"},
124 {"CVE", "2018-12896"},
125 {}
126 }
127 };
128