On Wed, Nov 13, 2019 at 10:53 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > On Fri, 8 Nov 2019, Arnd Bergmann wrote: > > -SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv, > > +SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, > > struct timezone __user *, tz) > > { > > struct timespec64 new_ts; > > - struct timeval user_tv; > > struct timezone new_tz; > > > > if (tv) { > > - if (copy_from_user(&user_tv, tv, sizeof(*tv))) > > + if (get_user(new_ts.tv_sec, &tv->tv_sec) || > > + get_user(new_ts.tv_nsec, &tv->tv_usec)) > > return -EFAULT; > > How is that supposed to be correct on a 32bit kernel? I don't see the problem you are referring to. This should behave the same way on a 32-bit kernel and on a 64-bit kernel, sign-extending the tv_sec field, and copying the user tv_usec field into the kernel tv_nsec, to be multiplied by 1000 a few lines later. Am I missing something? > > - if (!timeval_valid(&user_tv)) > > + if (tv->tv_usec > USEC_PER_SEC) > > return -EINVAL; > > That's incomplete: > > static inline bool timeval_valid(const struct timeval *tv) > { > /* Dates before 1970 are bogus */ > if (tv->tv_sec < 0) > return false; > > /* Can't have more microseconds then a second */ > if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC) > return false; > > return true; > } My idea was to not duplicate the range check that is done in do_sys_settimeofday64() and again in do_settimeofday64: if (!timespec64_valid_settod(ts)) return -EINVAL; The only check we should need in addition to this is to ensure that passing an invalid tv_usec number doesn't become an unexpectedly valid tv_nsec after the multiplication. I agree the patch looks like I'm missing a check here, but the code after the patch appears clear enough to me. Arnd