From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/8633 Path: news.gmane.org!not-for-mail From: Szabolcs Nagy Newsgroups: gmane.linux.lib.musl.general Subject: Re: Signed integer overflow in __secs_to_tm Date: Wed, 7 Oct 2015 12:22:53 +0200 Message-ID: <20151007102253.GO10551@port70.net> References: <56177AD6-23A7-44A5-B72B-D139DC14F813@mastenbrook.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ytoMbUMiTKPMT3hY" X-Trace: ger.gmane.org 1444213396 1843 80.91.229.3 (7 Oct 2015 10:23:16 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 7 Oct 2015 10:23:16 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-8645-gllmg-musl=m.gmane.org@lists.openwall.com Wed Oct 07 12:23:11 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1ZjlsL-0001Qn-Pe for gllmg-musl@m.gmane.org; Wed, 07 Oct 2015 12:23:09 +0200 Original-Received: (qmail 28606 invoked by uid 550); 7 Oct 2015 10:23:05 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 28579 invoked from network); 7 Oct 2015 10:23:05 -0000 Mail-Followup-To: musl@lists.openwall.com Content-Disposition: inline In-Reply-To: <56177AD6-23A7-44A5-B72B-D139DC14F813@mastenbrook.net> User-Agent: Mutt/1.5.23 (2014-03-12) Xref: news.gmane.org gmane.linux.lib.musl.general:8633 Archived-At: --ytoMbUMiTKPMT3hY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline * Brian Mastenbrook [2015-10-06 19:09:45 -0500]: > __secs_to_tm (used by gmtime_r et al) may invoke undefined behavior due to signed integer overflow in two places. At __secs_to_tm.c:58, 400*qc_cycles may overflow. At __secs_to_tm.c:63, there is a nonsensical comparison between an already overflowed value and INT_MAX or INT_MIN; the compiler will delete this test due to overflow. Here are some example values that provoke the overflow: > i think that computation was supposed to be done with long longs and then the comparision is sensical and both problems go away. can you try the attached patch? > t = -67771633420944000 > > __secs_to_tm.c:58:[kernel] warning: signed overflow. assert -2147483648 ??? 400*qc_cycles; > > t = 67768037838810496 > > __secs_to_tm.c:63:[kernel] warning: signed overflow. assert years+100 ??? 2147483647; > > These errors were found using KLEE and clang's undefined behavior sanitizer together. (Unfortunately KLEE also produced a false report of an out-of-bounds access to the days_in_month array due to a solver bug.) > i have some questions: have you look at other parts of musl? can klee model libc/syscall api behaviour? is it possible to instrument a libc.a with klee and then use small programs to check various libc interfaces? --ytoMbUMiTKPMT3hY Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="tm.diff" diff --git a/src/time/__secs_to_tm.c b/src/time/__secs_to_tm.c index f3c1cf9..3a3123a 100644 --- a/src/time/__secs_to_tm.c +++ b/src/time/__secs_to_tm.c @@ -10,10 +10,10 @@ int __secs_to_tm(long long t, struct tm *tm) { - long long days, secs; + long long days, secs, years; int remdays, remsecs, remyears; int qc_cycles, c_cycles, q_cycles; - int years, months; + int months; int wday, yday, leap; static const char days_in_month[] = {31,30,31,30,31,31,30,31,30,31,31,29}; @@ -55,7 +55,7 @@ int __secs_to_tm(long long t, struct tm *tm) yday = remdays + 31 + 28 + leap; if (yday >= 365+leap) yday -= 365+leap; - years = remyears + 4*q_cycles + 100*c_cycles + 400*qc_cycles; + years = remyears + 4*q_cycles + 100*c_cycles + 400LL*qc_cycles; for (months=0; days_in_month[months] <= remdays; months++) remdays -= days_in_month[months]; --ytoMbUMiTKPMT3hY--