• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
4  */
5 
6 /*
7  * CVE 2018-12896
8  *
9  * Check for possible overflow of posix timer overrun counter. Create
10  * a CLOCK_REALTIME timer, set extremely low timer interval and expiration
11  * value just right to cause overrun overflow into negative values, start
12  * the timer with TIMER_ABSTIME flag to cause overruns immediately. Then just
13  * check the overrun counter in the timer signal handler. On a patched system,
14  * the value returned by timer_getoverrun() should be capped at INT_MAX and
15  * not allowed to overflow into negative range. Bug fixed in:
16  *
17  *  commit 78c9c4dfbf8c04883941445a195276bb4bb92c76
18  *  Author: Thomas Gleixner <tglx@linutronix.de>
19  *  Date:   Tue Jun 26 15:21:32 2018 +0200
20  *
21  *  posix-timers: Sanitize overrun handling
22  */
23 
24 #include <unistd.h>
25 #include <signal.h>
26 #include <time.h>
27 #include <limits.h>
28 
29 #include "tst_test.h"
30 #include "tst_safe_clocks.h"
31 
32 static timer_t timer;
33 static volatile int handler_called, overrun, saved_errno;
34 
35 static struct timespec realtime_resolution;
36 
sighandler(int sig LTP_ATTRIBUTE_UNUSED)37 static void sighandler(int sig LTP_ATTRIBUTE_UNUSED)
38 {
39 	struct itimerspec spec;
40 
41 	/*
42 	 * Signal handler will be called twice in total because kernel will
43 	 * schedule another pending signal before the timer gets disabled.
44 	 */
45 	if (handler_called)
46 		return;
47 
48 	errno = 0;
49 	overrun = timer_getoverrun(timer);
50 	saved_errno = errno;
51 	memset(&spec, 0, sizeof(struct itimerspec));
52 	SAFE_TIMER_SETTIME(timer, 0, &spec, NULL);
53 	handler_called = 1;
54 }
55 
setup(void)56 static void setup(void)
57 {
58 	struct sigevent sev;
59 
60 	memset(&sev, 0, sizeof(struct sigevent));
61 	sev.sigev_notify = SIGEV_SIGNAL;
62 	sev.sigev_signo = SIGUSR1;
63 
64 	SAFE_SIGNAL(SIGUSR1, sighandler);
65 	SAFE_TIMER_CREATE(CLOCK_REALTIME, &sev, &timer);
66 
67 	SAFE_CLOCK_GETRES(CLOCK_REALTIME, &realtime_resolution);
68 
69 	tst_res(TINFO, "CLOCK_REALTIME resolution %lins",
70 	        (long)realtime_resolution.tv_nsec);
71 }
72 
run(void)73 static void run(void)
74 {
75 	int handler_delay = INT_MAX / 7;
76 	long nsec;
77 	struct itimerspec spec;
78 
79 	handler_called = 0;
80 	memset(&spec, 0, sizeof(struct itimerspec));
81 	SAFE_CLOCK_GETTIME(CLOCK_REALTIME, &spec.it_value);
82 	nsec = (handler_delay % 100000000) * 10L;
83 
84 	if (nsec > spec.it_value.tv_nsec) {
85 		spec.it_value.tv_sec -= 1;
86 		spec.it_value.tv_nsec += 1000000000;
87 	}
88 
89 	/* spec.it_value = now - 1.4 * max overrun value */
90 	/* IOW, overflow will land right in the middle of negative range */
91 	spec.it_value.tv_sec -= (handler_delay / 100000000) * realtime_resolution.tv_nsec;
92 	spec.it_value.tv_nsec -= nsec;
93 	spec.it_interval.tv_nsec = realtime_resolution.tv_nsec;
94 
95 	SAFE_TIMER_SETTIME(timer, TIMER_ABSTIME, &spec, NULL);
96 	while (!handler_called);
97 	errno = saved_errno;
98 
99 	if (overrun == -1)
100 		tst_brk(TBROK | TERRNO, "Error reading timer overrun count");
101 
102 	if (overrun == INT_MAX) {
103 		tst_res(TPASS, "Timer overrun count is capped");
104 		return;
105 	}
106 
107 	if (overrun < 0) {
108 		tst_res(TFAIL, "Timer overrun counter overflow");
109 		return;
110 	}
111 
112 	tst_res(TFAIL, "Timer overrun counter is wrong: %d; expected %d or "
113 		"negative number", overrun, INT_MAX);
114 }
115 
cleanup(void)116 static void cleanup(void)
117 {
118 	SAFE_TIMER_DELETE(timer);
119 }
120 
121 static struct tst_test test = {
122 	.test_all = run,
123 	.setup = setup,
124 	.cleanup = cleanup,
125 	.tags = (const struct tst_tag[]) {
126 		{"linux-git", "78c9c4dfbf8c"},
127 		{"CVE", "2018-12896"},
128 		{}
129 	}
130 };
131