From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alistair23@gmail.com>
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com
 [IPv6:2607:f8b0:4864:20::d44])
 by sourceware.org (Postfix) with ESMTPS id 85A5D386103B
 for <libc-alpha@sourceware.org>; Wed, 16 Sep 2020 15:10:29 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 85A5D386103B
Received: by mail-io1-xd44.google.com with SMTP id u6so8615147iow.9
 for <libc-alpha@sourceware.org>; Wed, 16 Sep 2020 08:10:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=5/r5Jg3bIzJYCtRKAWvFJ2mmy7Ip4bchsV97dceGfOA=;
 b=ByhNd3wDG0rwa0qUj+bPseqrjvcf0sw4AuJOUVMIDxlmg2GpixTOlE07TiB6ZYkuE+
 AUZWkT2Soa3hzHQWwABwg9yS1HnVcep7imuhOgCzmzh9TLvSNc9F8I+bgEOU/bmhuRzU
 usVhnb/QimrvCt65XTERfzdGgom3GgCzJRj3cAly6K18/K2X0T1jbGJHiwpaZFQ7Dj57
 xSkE2LK/tyVQEcwej++XWjlu+91vxhI66L7q0KDC/pM/cD6ylSoMUWdy3ya5d9FU3VE0
 4nstWpworY1TzdDPoX+NYrsNg8ugyynFltuFLrTHxDVb5lINa5vXmOzH7SsefR7y/s2Y
 K2bQ==
X-Gm-Message-State: AOAM5308/fNjhOvMDyY2HmST5Ssi4Vqhj+zFuR3M9cPUPhb8ANCf+N4P
 k0fu644EJm4i7QuFpK++tRqSIaGmZvTgmLhM8d2512ov3Wk=
X-Google-Smtp-Source: ABdhPJxrxTUEe9ex9jMYrSzOxnx/+VD9qLpaVwagVHUllr/IxqhbhKS9m+fX1ChX3x8yQP9th/etBTwAXwJWTqLkv6Q=
X-Received: by 2002:a02:6607:: with SMTP id k7mr23060583jac.91.1600269029107; 
 Wed, 16 Sep 2020 08:10:29 -0700 (PDT)
MIME-Version: 1.0
References: <20200916110738.9904-1-lukma@denx.de>
 <20200916110738.9904-2-lukma@denx.de>
In-Reply-To: <20200916110738.9904-2-lukma@denx.de>
From: Alistair Francis <alistair23@gmail.com>
Date: Wed, 16 Sep 2020 07:59:18 -0700
Message-ID: <CAKmqyKNRYRWCXb6pK4h3DFT+ExxJrBn5_UPb_CZ6frH7ECamtQ@mail.gmail.com>
Subject: Re: [PATCH 2/2] nptl: Provide NULL abstime pointer handling in
 __futex_abstimed_wait_cancelable32
To: Lukasz Majewski <lukma@denx.de>
Cc: Joseph Myers <joseph@codesourcery.com>, Paul Eggert <eggert@cs.ucla.edu>, 
 Adhemerval Zanella <adhemerval.zanella@linaro.org>,
 Arnd Bergmann <arnd@arndb.de>, 
 Alistair Francis <alistair.francis@wdc.com>,
 GNU C Library <libc-alpha@sourceware.org>, 
 Florian Weimer <fweimer@redhat.com>, "Carlos O'Donell" <carlos@redhat.com>, 
 Stepan Golosunov <stepan@golosunov.pp.ru>, Andreas Schwab <schwab@suse.de>,
 Zack Weinberg <zackw@panix.com>, Jeff Law <law@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT,
 FREEMAIL_FROM, GIT_PATCH_0, KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 15:10:30 -0000

On Wed, Sep 16, 2020 at 4:07 AM Lukasz Majewski <lukma@denx.de> wrote:
>
> This change fixes issue when NULL pointer would be passed to
> __futex_abstimed_wait_cancelable32.
>
> The call log for passing NULL as *abstime pointer.
>         sem_wait (versioned symbol)
>                  |
>                 \|/
>         __new_sem_wait
>                  |    (here the NULL is passed as *abstime)
>                 \|/
>         __new_sem_wait_slow64
>                  |
>                 \|/
>         do_futex_wait
>                  |
>                 \|/
> __futex_abstimed_wait_cancelable64
>                  |
>                 \|/
> __futex_abstimed_wait_cancellable32
>
> In this function the *abstime is dereferenced when checking if we have
> time_t in range and when converting to 32 bit struct timespec to pass it
> to futex syscall, which supports 32 bit time.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  sysdeps/nptl/futex-internal.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/sysdeps/nptl/futex-internal.c b/sysdeps/nptl/futex-internal.c
> index a4fc1dc52f..3211b4c94f 100644
> --- a/sysdeps/nptl/futex-internal.c
> +++ b/sysdeps/nptl/futex-internal.c
> @@ -29,17 +29,21 @@ __futex_abstimed_wait_cancelable32 (unsigned int* futex_word,
>                                      const struct __timespec64* abstime,
>                                      int private)
>  {
> -  if (! in_time_t_range (abstime->tv_sec))
> +  struct timespec ts32;
> +
> +  if (abstime != NULL && ! in_time_t_range (abstime->tv_sec))
>      return -EOVERFLOW;
>
>    unsigned int clockbit = (clockid == CLOCK_REALTIME)
>           ? FUTEX_CLOCK_REALTIME : 0;
>    int op = __lll_private_flag (FUTEX_WAIT_BITSET | clockbit, private);
>
> -  struct timespec ts32 = valid_timespec64_to_timespec (*abstime);
> +  if (abstime != NULL)
> +    ts32 = valid_timespec64_to_timespec (*abstime);
> +
>    return INTERNAL_SYSCALL_CANCEL (futex, futex_word, op, expected,
> -                                  &ts32, NULL /* Unused.  */,
> -                                  FUTEX_BITSET_MATCH_ANY);
> +                                  abstime != NULL ? &ts32 : NULL,
> +                                  NULL /* Unused.  */, FUTEX_BITSET_MATCH_ANY);
>  }
>
>  static int
> --
> 2.20.1
>