| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Aug 2009 10:59:57 +0200 From: Jens Rosenboom <jens@...one.net> To: Jan Wagner <jwagner@...p.hut.fi> Cc: linux-kernel@...r.kernel.org Subject: Re: 32-bit sys/times.h incorrect return value (fwd) On Fri, 2009-08-14 at 10:36 +0200, Jens Rosenboom wrote: > On Thu, 2009-08-13 at 18:32 +0300, Jan Wagner wrote: > > Hi, > > > > we see times() return a really large positive value like 0x66693CF1 i.e. > > signed int32 +1718172913 just a few minutes after booting. > > > > Note that clock_gettime(CLOCK_MONOTONIC) works correctly and returns the > > uptime. While times() +1718172913/100Hz time is in no relation to uptime. > > > > Checking 'man 2 times': "Since Linux 2.6, this point is (2^32/HZ) - 300 (i.e., > > about 429 million) seconds before system boot time. [...] the returned value > > may overflow the range of clock_t [...]" > > > > Hence in theory on a 32-bit platform where clock_t is signed 32-bit, at first > > times() should return negative values. > > > > Then 300 seconds later they should become positive. Correct? > > > > This should also happen via glibc times() call. There the times() > > ./sysdeps/unix/sysv/linux/times.c > > simply does > > clock_t ret = INTERNAL_SYSCALL (times, err, 1, buf); > > with no extra "+- some constant". > > > > In the kernel all jiffies and times syscall related handling is 64-bit: > > > > --------- > > amn@...tics:/home/etu/Desktop/linux-2.6.30.3/include$ fgrep INITIAL_JIFFIES > > linux/jiffies.h:#define INITIAL_JIFFIES ((unsigned long)(unsigned int) > > (-300*HZ)) > > > > kernel/sys.c: return (long) jiffies_64_to_clock_t(get_jiffies_64()); > > > > kernel/time.c:u64 get_jiffies_64(void) > > kernel/time.c: ret = jiffies_64; > > --------- > > > > On 32-bit platforms and signed int32 clock_t it should take at least > > > > octave:1> 2^31/(24*60*60 * 100) > > ans = 248.55 > > octave:2> (2^31/100 - 300)/(24*60*60) > > ans = 248.55 > > > > days until the positive times() return value wraps back to smallest negative > > signed 32-bit int. > > > > However, two bugs(?) : > > > > 1) times() return value after 1080 'uptime' seconds is 0x66693CF1, why? > > > > Expected value would be (1080-300)*100Hz = 78000 = 0x000130B0 ! > > > > 2) the times() wraps to negative only after 50 days uptime. Following the > > intention of INITIAL_JIFFIES, how is this 50-day warp supposed to reveal > > wrapping bugs right at 300 seconds after boot? > > > > 2) on 64-bit platforms, clock_t is 64-bit. There times() does not wrap after 50 > > days, however it still starts at 0x000000006669**** !? > > 1718172913 * 2.5 is pretty close to 2^32, so I assume that you have > CONFIG_HZ=250. With CONFIG_HZ=300 I am getting something like 1431542881 > instead which is close to 2^32/3. I'm not sure though where the wrong > initial value comes from, maybe the INITIAL_JIFFIES definition uses the > wrong HZ value. On second though, there isn't any bug here at all, times() returns jiffies converted to USER_HZ, so this can wrap at completely different times than the 32-bit jiffies value itself. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists