Date: Sat, 21 Jan 2017 02:05:57 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 211960] [PATCH] Page fault panic under settimeofday when tv_sec / SECDAY overflows signed 32 bit int Message-ID: <bug-211960-8-zzev1imxwu@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-211960-8@https.bugs.freebsd.org/bugzilla/> References: <bug-211960-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211960 Conrad Meyer <cem@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cem@freebsd.org --- Comment #1 from Conrad Meyer <cem@freebsd.org> --- I think the mechanism by which we fault here (amd64 and other 64-bit time_t platforms) is: days (int) is overflowed to be negative by: days =3D secs / SECDAY; // (secs is time_t=3D=3Dint64_t on amd64) ct->day (int) inherits a negative value from days. In atrtc_set(), we invoke bin2bcd(ct.day) =3D> bin2bcd_data[ct.day] (valid indices are 0-99) =3D> dereferencing 2GB before the array. It seems like ct->day being negative (or more specifically, outside 0-31) i= s a bug. It seems like several places here could have better assertions to pro= tect against invalid ranges. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-211960-8-zzev1imxwu>