Commit ee6abc25 authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Greg Kroah-Hartman

hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)

patch 62f0f61e in mainline

Relative hrtimers with a large timeout value might end up as negative
timer values, when the current time is added in hrtimer_start().

This in turn is causing the clockevents_set_next() function to set an
huge timeout and sleep for quite a long time when we have a clock
source which is capable of long sleeps like HPET. With PIT this almost
goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
sorts this out in the next timer interrupt, so we never noticed that
problem which has been there since the first day of hrtimers.

This bug became more apparent in 2.6.24 which activates HPET on more
hardware.
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 8d88a7d7
......@@ -826,6 +826,14 @@ hrtimer_start(struct hrtimer *timer, ktime_t tim, const enum hrtimer_mode mode)
#ifdef CONFIG_TIME_LOW_RES
tim = ktime_add(tim, base->resolution);
#endif
/*
* Careful here: User space might have asked for a
* very long sleep, so the add above might result in a
* negative number, which enqueues the timer in front
* of the queue.
*/
if (tim.tv64 < 0)
tim.tv64 = KTIME_MAX;
}
timer->expires = tim;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment