From 4234e575a20f23a2a69f17a7dcc1fc41e68783e7 Mon Sep 17 00:00:00 2001 From: zhengbin <zhengbin13@huawei.com> Date: Tue, 16 Jul 2019 16:01:29 +0800 Subject: [PATCH] time: Validate user input in compat_settimeofday() mainline inclusion from mainline-v5.2 commit 9176ab1b848059a0cd9caf39f0cebaa1b7ec5ec2 category: bugfix bugzilla: 16631 CVE: NA --------------------------- The user value is validated after converting the timeval to a timespec, but for a wide range of negative tv_usec values the multiplication overflow turns them in positive numbers. So the 'validated later' is not catching the invalid input. Signed-off-by: zhengbin <zhengbin13@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/1562460701-113301-1-git-send-email-zhengbin13@huawei.com Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- kernel/time/time.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/time/time.c b/kernel/time/time.c index be057d6579f1..8ff9fbd16d63 100644 --- a/kernel/time/time.c +++ b/kernel/time/time.c @@ -251,6 +251,10 @@ COMPAT_SYSCALL_DEFINE2(settimeofday, struct compat_timeval __user *, tv, if (tv) { if (compat_get_timeval(&user_tv, tv)) return -EFAULT; + + if (!timeval_valid(&user_tv)) + return -EINVAL; + new_ts.tv_sec = user_tv.tv_sec; new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; } -- GitLab