lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Aug 2009 10:36:27 +0200 From: Jens Rosenboom <jens@...one.net> To: Jan Wagner <jwagner@...p.hut.fi> Cc: linux-kernel@...r.kernel.org Subject: Re: 32-bit sys/times.h incorrect return value (fwd) On Thu, 2009-08-13 at 18:32 +0300, Jan Wagner wrote: > Hi, > > we see times() return a really large positive value like 0x66693CF1 i.e. > signed int32 +1718172913 just a few minutes after booting. > > Note that clock_gettime(CLOCK_MONOTONIC) works correctly and returns the > uptime. While times() +1718172913/100Hz time is in no relation to uptime. > > Checking 'man 2 times': "Since Linux 2.6, this point is (2^32/HZ) - 300 (i.e., > about 429 million) seconds before system boot time. [...] the returned value > may overflow the range of clock_t [...]" > > Hence in theory on a 32-bit platform where clock_t is signed 32-bit, at first > times() should return negative values. > > Then 300 seconds later they should become positive. Correct? > > This should also happen via glibc times() call. There the times() > ./sysdeps/unix/sysv/linux/times.c > simply does > clock_t ret = INTERNAL_SYSCALL (times, err, 1, buf); > with no extra "+- some constant". > > In the kernel all jiffies and times syscall related handling is 64-bit: > > --------- > amn@...tics:/home/etu/Desktop/linux-2.6.30.3/include$ fgrep INITIAL_JIFFIES > linux/jiffies.h:#define INITIAL_JIFFIES ((unsigned long)(unsigned int) > (-300*HZ)) > > kernel/sys.c: return (long) jiffies_64_to_clock_t(get_jiffies_64()); > > kernel/time.c:u64 get_jiffies_64(void) > kernel/time.c: ret = jiffies_64; > --------- > > On 32-bit platforms and signed int32 clock_t it should take at least > > octave:1> 2^31/(24*60*60 * 100) > ans = 248.55 > octave:2> (2^31/100 - 300)/(24*60*60) > ans = 248.55 > > days until the positive times() return value wraps back to smallest negative > signed 32-bit int. > > However, two bugs(?) : > > 1) times() return value after 1080 'uptime' seconds is 0x66693CF1, why? > > Expected value would be (1080-300)*100Hz = 78000 = 0x000130B0 ! > > 2) the times() wraps to negative only after 50 days uptime. Following the > intention of INITIAL_JIFFIES, how is this 50-day warp supposed to reveal > wrapping bugs right at 300 seconds after boot? > > 2) on 64-bit platforms, clock_t is 64-bit. There times() does not wrap after 50 > days, however it still starts at 0x000000006669**** !? 1718172913 * 2.5 is pretty close to 2^32, so I assume that you have CONFIG_HZ=250. With CONFIG_HZ=300 I am getting something like 1431542881 instead which is close to 2^32/3. I'm not sure though where the wrong initial value comes from, maybe the INITIAL_JIFFIES definition uses the wrong HZ value. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists