[Bug 211960] [PATCH] Page fault panic under settimeofday when tv_sec / SECDAY overflows signed 32 bit int
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Jan 21 02:05:57 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211960
Conrad Meyer <cem at freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cem at freebsd.org
--- Comment #1 from Conrad Meyer <cem at freebsd.org> ---
I think the mechanism by which we fault here (amd64 and other 64-bit time_t
platforms) is:
days (int) is overflowed to be negative by:
days = secs / SECDAY; // (secs is time_t==int64_t on amd64)
ct->day (int) inherits a negative value from days.
In atrtc_set(), we invoke bin2bcd(ct.day) => bin2bcd_data[ct.day] (valid
indices are 0-99) => dereferencing 2GB before the array.
It seems like ct->day being negative (or more specifically, outside 0-31) is a
bug. It seems like several places here could have better assertions to protect
against invalid ranges.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list