kern/45634: hardclock_ticks corner cases in vflushnext() et al

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/45634: hardclock_ticks corner cases in vflushnext() et al
From: christianbiere%gmx.de@localhost
Date: Sat, 19 Nov 2011 21:00:01 +0000 (UTC)

>Number:         45634
>Category:       kern
>Synopsis:       hardclock_ticks corner cases in vflushnext() et al
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 19 21:00:00 +0000 2011
>Originator:     Christian Biere
>Release:        
>Organization:
>Environment:
>Description:
File: sys/kern/vfs_mount.c
Function: vflushnext()

1. The comparision "hardclock_ticks > *when" apparently assumes perfect 
integers whilst "hardclock_ticks" will actually wrap around (at least that's 
the hope) after some time. Therefore this comparision is insufficient to verify 
has advanced one or more ticks. If *when is initialized just before a wrap 
around (e.g. to INT_MAX) and hardclock_ticks wraps around to INT_MIN, the 
comparision will unintentionally fail. [*]

2. The expression "hardclock_ticks + hz / 10" may result in an integer overflow 
and hence cause undefined behavior.

File: sys/kern/kern_clock.c
Function: hardclock()

3. As "hardclock_ticks" is of type signed int an integer overflow occures after 
some defined run-time depending on the value of "hz". [*]
While changing its type to unsigned int would fix this issue allowing a 
well-defined wrap around, this would require further changes in code using this 
variable. Therefore, side effects can be avoid by the following:

 hardclock_ticks = (unsigned int) hardclock_ticks + 1;

However, it might actually be worthwhile to check the uses of "hardclock_ticks" 
elsewhere anyways. For example, it seems the wrap around is not taken into 
account in lacp_sm_tx() in net/agr/ieee8023ad_lacp_sm_tx.c as well as other 
files.

[*] Assuming hz is set to 100, the apparent compile-time default, these 
circumstances may arise about every 249 days. Thus, a higher value of hz will 
increase the likeliness in proportion (e.g. 25 days at 1000 hz). 

>How-To-Repeat:

>Fix:

Prev by Date: Re: standards/44063 (awk: setting NF doesn't change $i)
Next by Date: PR/45479 CVS commit: [netbsd-5] src/sys/kern
Previous by Thread: PR/45633 CVS commit: src/sys/kern
Next by Thread: Re: kern/45634: hardclock_ticks corner cases in vflushnext() et al
Indexes:

Home | Main Index | Thread Index | Old Index