|
Message-ID: <20151007102253.GO10551@port70.net>
Date: Wed, 7 Oct 2015 12:22:53 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Signed integer overflow in __secs_to_tm
* Brian Mastenbrook <brian@...tenbrook.net> [2015-10-06 19:09:45 -0500]:
> __secs_to_tm (used by gmtime_r et al) may invoke undefined behavior due to signed integer overflow in two places. At __secs_to_tm.c:58, 400*qc_cycles may overflow. At __secs_to_tm.c:63, there is a nonsensical comparison between an already overflowed value and INT_MAX or INT_MIN; the compiler will delete this test due to overflow. Here are some example values that provoke the overflow:
>
i think that computation was supposed to be done
with long longs and then the comparision is
sensical and both problems go away.
can you try the attached patch?
> t = -67771633420944000
>
> __secs_to_tm.c:58:[kernel] warning: signed overflow. assert -2147483648 ??? 400*qc_cycles;
>
> t = 67768037838810496
>
> __secs_to_tm.c:63:[kernel] warning: signed overflow. assert years+100 ??? 2147483647;
>
> These errors were found using KLEE and clang's undefined behavior sanitizer together. (Unfortunately KLEE also produced a false report of an out-of-bounds access to the days_in_month array due to a solver bug.)
>
i have some questions:
have you look at other parts of musl?
can klee model libc/syscall api behaviour?
is it possible to instrument a libc.a with klee
and then use small programs to check various
libc interfaces?
View attachment "tm.diff" of type "text/x-diff" (861 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.