1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
4 */
5
6 /*
7 * CVE 2018-12896
8 *
9 * Check for possible overflow of posix timer overrun counter. Create
10 * a CLOCK_REALTIME timer, set extremely low timer interval and expiration
11 * value just right to cause overrun overflow into negative values, start
12 * the timer with TIMER_ABSTIME flag to cause overruns immediately. Then just
13 * check the overrun counter in the timer signal handler. On a patched system,
14 * the value returned by timer_getoverrun() should be capped at INT_MAX and
15 * not allowed to overflow into negative range. Bug fixed in:
16 *
17 * commit 78c9c4dfbf8c04883941445a195276bb4bb92c76
18 * Author: Thomas Gleixner <tglx@linutronix.de>
19 * Date: Tue Jun 26 15:21:32 2018 +0200
20 *
21 * posix-timers: Sanitize overrun handling
22 */
23
24 #include <unistd.h>
25 #include <signal.h>
26 #include <time.h>
27 #include <limits.h>
28
29 #include "tst_test.h"
30 #include "tst_safe_clocks.h"
31
32 static timer_t timer;
33 static volatile int handler_called, overrun, saved_errno;
34
35 static struct timespec realtime_resolution;
36
sighandler(int sig LTP_ATTRIBUTE_UNUSED)37 static void sighandler(int sig LTP_ATTRIBUTE_UNUSED)
38 {
39 struct itimerspec spec;
40
41 /*
42 * Signal handler will be called twice in total because kernel will
43 * schedule another pending signal before the timer gets disabled.
44 */
45 if (handler_called)
46 return;
47
48 errno = 0;
49 overrun = timer_getoverrun(timer);
50 saved_errno = errno;
51 memset(&spec, 0, sizeof(struct itimerspec));
52 SAFE_TIMER_SETTIME(timer, 0, &spec, NULL);
53 handler_called = 1;
54 }
55
setup(void)56 static void setup(void)
57 {
58 struct sigevent sev;
59
60 memset(&sev, 0, sizeof(struct sigevent));
61 sev.sigev_notify = SIGEV_SIGNAL;
62 sev.sigev_signo = SIGUSR1;
63
64 SAFE_SIGNAL(SIGUSR1, sighandler);
65 SAFE_TIMER_CREATE(CLOCK_REALTIME, &sev, &timer);
66
67 SAFE_CLOCK_GETRES(CLOCK_REALTIME, &realtime_resolution);
68
69 tst_res(TINFO, "CLOCK_REALTIME resolution %lins",
70 (long)realtime_resolution.tv_nsec);
71 }
72
run(void)73 static void run(void)
74 {
75 int handler_delay = INT_MAX / 7;
76 long nsec;
77 struct itimerspec spec;
78
79 handler_called = 0;
80 memset(&spec, 0, sizeof(struct itimerspec));
81 SAFE_CLOCK_GETTIME(CLOCK_REALTIME, &spec.it_value);
82 nsec = (handler_delay % 100000000) * 10L;
83
84 if (nsec > spec.it_value.tv_nsec) {
85 spec.it_value.tv_sec -= 1;
86 spec.it_value.tv_nsec += 1000000000;
87 }
88
89 /* spec.it_value = now - 1.4 * max overrun value */
90 /* IOW, overflow will land right in the middle of negative range */
91 spec.it_value.tv_sec -= (handler_delay / 100000000) * realtime_resolution.tv_nsec;
92 spec.it_value.tv_nsec -= nsec;
93 spec.it_interval.tv_nsec = realtime_resolution.tv_nsec;
94
95 SAFE_TIMER_SETTIME(timer, TIMER_ABSTIME, &spec, NULL);
96 while (!handler_called);
97 errno = saved_errno;
98
99 if (overrun == -1)
100 tst_brk(TBROK | TERRNO, "Error reading timer overrun count");
101
102 if (overrun == INT_MAX) {
103 tst_res(TPASS, "Timer overrun count is capped");
104 return;
105 }
106
107 if (overrun < 0) {
108 tst_res(TFAIL, "Timer overrun counter overflow");
109 return;
110 }
111
112 tst_res(TFAIL, "Timer overrun counter is wrong: %d; expected %d or "
113 "negative number", overrun, INT_MAX);
114 }
115
cleanup(void)116 static void cleanup(void)
117 {
118 SAFE_TIMER_DELETE(timer);
119 }
120
121 static struct tst_test test = {
122 .test_all = run,
123 .setup = setup,
124 .cleanup = cleanup,
125 .tags = (const struct tst_tag[]) {
126 {"linux-git", "78c9c4dfbf8c"},
127 {"CVE", "2018-12896"},
128 {}
129 }
130 };
131