lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1250240397.16632.37.camel@fnki-nb00130>
Date:	Fri, 14 Aug 2009 10:59:57 +0200
From:	Jens Rosenboom <jens@...one.net>
To:	Jan Wagner <jwagner@...p.hut.fi>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: 32-bit sys/times.h incorrect return value (fwd)

On Fri, 2009-08-14 at 10:36 +0200, Jens Rosenboom wrote:
> On Thu, 2009-08-13 at 18:32 +0300, Jan Wagner wrote: 
> > Hi,
> > 
> > we see times() return a really large positive value like 0x66693CF1 i.e. 
> > signed int32 +1718172913 just a few minutes after booting.
> > 
> > Note that clock_gettime(CLOCK_MONOTONIC) works correctly and returns the 
> > uptime. While times() +1718172913/100Hz time is in no relation to uptime.
> > 
> > Checking 'man 2 times': "Since Linux 2.6, this point is (2^32/HZ) - 300 (i.e., 
> > about 429 million) seconds before system boot time. [...] the returned value 
> > may overflow the range of clock_t [...]"
> > 
> > Hence in theory on a 32-bit platform where clock_t is signed 32-bit, at first 
> > times() should return negative values.
> > 
> > Then 300 seconds later they should become positive. Correct?
> > 
> > This should also happen via glibc times() call. There the times()
> >    ./sysdeps/unix/sysv/linux/times.c
> > simply does
> >    clock_t ret = INTERNAL_SYSCALL (times, err, 1, buf);
> > with no extra "+- some constant".
> > 
> > In the kernel all jiffies and times syscall related handling is 64-bit:
> > 
> > ---------
> > amn@...tics:/home/etu/Desktop/linux-2.6.30.3/include$ fgrep INITIAL_JIFFIES
> > linux/jiffies.h:#define INITIAL_JIFFIES ((unsigned long)(unsigned int) 
> > (-300*HZ))
> > 
> > kernel/sys.c:   return (long) jiffies_64_to_clock_t(get_jiffies_64());
> > 
> > kernel/time.c:u64 get_jiffies_64(void)
> > kernel/time.c:          ret = jiffies_64;
> > ---------
> > 
> > On 32-bit platforms and signed int32 clock_t it should take at least
> > 
> > octave:1>  2^31/(24*60*60 * 100)
> > ans =  248.55
> > octave:2>  (2^31/100 - 300)/(24*60*60)
> > ans =  248.55
> > 
> > days until the positive times() return value wraps back to smallest negative 
> > signed 32-bit int.
> > 
> > However, two bugs(?) :
> > 
> > 1) times() return value after 1080 'uptime' seconds is 0x66693CF1, why?
> > 
> > Expected value would be (1080-300)*100Hz = 78000 = 0x000130B0 !
> > 
> > 2) the times() wraps to negative only after 50 days uptime. Following the 
> > intention of INITIAL_JIFFIES, how is this 50-day warp supposed to reveal 
> > wrapping bugs right at 300 seconds after boot?
> > 
> > 2) on 64-bit platforms, clock_t is 64-bit. There times() does not wrap after 50 
> > days, however it still starts at 0x000000006669**** !?
> 
> 1718172913 * 2.5 is pretty close to 2^32, so I assume that you have
> CONFIG_HZ=250. With CONFIG_HZ=300 I am getting something like 1431542881
> instead which is close to 2^32/3. I'm not sure though where the wrong
> initial value comes from, maybe the INITIAL_JIFFIES definition uses the
> wrong HZ value.

On second though, there isn't any bug here at all, times() returns
jiffies converted to USER_HZ, so this can wrap at completely different
times than the 32-bit jiffies value itself.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ