From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753660AbcAGPwh (ORCPT <rfc822;w@1wt.eu>);
	Thu, 7 Jan 2016 10:52:37 -0500
Received: from kanga.kvack.org ([205.233.56.17]:33257 "EHLO kanga.kvack.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752283AbcAGPwf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 7 Jan 2016 10:52:35 -0500
Date: Thu, 7 Jan 2016 10:52:34 -0500
From: Benjamin LaHaise <bcrl@kvack.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Jan Kara <jack@suse.cz>, Alexander Viro <viro@zeniv.linux.org.uk>,
        linux-aio <linux-aio@kvack.org>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>,
        Andrey Ryabinin <ryabinin.a.a@gmail.com>
Subject: Re: int overflow in io_getevents
Message-ID: <20160107155234.GM4439@kvack.org>
References: <CACT4Y+bBxVYLQ6LtOKrKtnLthqLHcw-BMp3aqP3mjdAvr9FULQ@mail.gmail.com> <20151216125618.GA16918@quack.suse.cz> <CACT4Y+auqXikZzMW327NNSkESYsvhJouVVW7o5ycPP_g-MgnKQ@mail.gmail.com> <20160106180158.GE4439@kvack.org> <CACT4Y+YqGRmXN47A3kcX-KKggyP04Ljfe_PXHyV48mAOgq8i-A@mail.gmail.com> <20160107153132.GL4439@kvack.org> <CACT4Y+bD6NXGf6Ry+9rP5mKWbQ1sWb2O-+8HuyRmiK+-gVJTtg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+bD6NXGf6Ry+9rP5mKWbQ1sWb2O-+8HuyRmiK+-gVJTtg@mail.gmail.com>
User-Agent: Mutt/1.4.2.2i
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 07, 2016 at 04:37:43PM +0100, Dmitry Vyukov wrote:
> pass ts to the function

Yeah, I should have had my morning coffee before hitting send.  Updated 
below, and hopefully final.  Checked with a test program to confirm that 
the huge value of seconds in timespec correctly waits, and that negative 
or other invalid values fail with EINVAL (download from
http://www.kvack.org/~bcrl/aio-io_getevents-timespec.c ).

		-ben
-- 
"Thought is the essence of where you are now."

commit 49b78150bc5762c58cfb8b19a859c354cf1a71ac
Author: Benjamin LaHaise <bcrl@kvack.org>
Date:   Thu Jan 7 10:37:58 2016 -0500

    aio: handle integer overflow in io_getevents() timespec usage
    
    Dmitry Vyukov reported an integer overflow in io_getevents() when
    running a fuzzer.  Upon investigation, the triggers appears to be that
    an invalid value for the tv_sec or tv_nsec was passed in which is not
    handled by timespec_to_ktime().  This patch fixes that by making
    io_getevents() return -EINVAL when timespec_valid() checks fail.  We
    use timespec_valid() instead of timespec_valid_strict() to avoid issues
    caused by userspace not knowing the cutoff for KTIME_SEC_MAX.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>

diff --git a/fs/aio.c b/fs/aio.c
index 155f842..e0d5398 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1269,6 +1269,8 @@ static long read_events(struct kioctx *ctx, long min_nr, long nr,
 
 		if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
 			return -EFAULT;
+		if (!timespec_valid(&ts))
+			return -EINVAL;
 
 		until = timespec_to_ktime(ts);
 	}