[Bug 211960] [PATCH] Page fault panic under settimeofday when tv_sec / SECDAY overflows signed 32 bit int

bugzilla-noreply Fri, 20 Jan 2017 18:06:52 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211960


Conrad Meyer <c...@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |c...@freebsd.org

--- Comment #1 from Conrad Meyer <c...@freebsd.org> ---
I think the mechanism by which we fault here (amd64 and other 64-bit time_t
platforms) is:

days (int) is overflowed to be negative by:

  days = secs / SECDAY;  // (secs is time_t==int64_t on amd64)

ct->day (int) inherits a negative value from days.

In atrtc_set(), we invoke bin2bcd(ct.day) => bin2bcd_data[ct.day] (valid
indices are 0-99) => dereferencing 2GB before the array.

It seems like ct->day being negative (or more specifically, outside 0-31) is a
bug.  It seems like several places here could have better assertions to protect
against invalid ranges.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 211960] [PATCH] Page fault panic under settimeofday when tv_sec / SECDAY overflows signed 32 bit int

Reply via email to