Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <56177AD6-23A7-44A5-B72B-D139DC14F813@mastenbrook.net>
Date: Tue, 6 Oct 2015 19:09:45 -0500
From: Brian Mastenbrook <brian@...tenbrook.net>
To: musl@...ts.openwall.com
Subject: Signed integer overflow in __secs_to_tm

__secs_to_tm (used by gmtime_r et al) may invoke undefined behavior due to signed integer overflow in two places. At __secs_to_tm.c:58, 400*qc_cycles may overflow. At __secs_to_tm.c:63, there is a nonsensical comparison between an already overflowed value and INT_MAX or INT_MIN; the compiler will delete this test due to overflow. Here are some example values that provoke the overflow:

t = -67771633420944000

__secs_to_tm.c:58:[kernel] warning: signed overflow. assert -2147483648 ≤ 400*qc_cycles;

t = 67768037838810496

__secs_to_tm.c:63:[kernel] warning: signed overflow. assert years+100 ≤ 2147483647;

These errors were found using KLEE and clang's undefined behavior sanitizer together. (Unfortunately KLEE also produced a false report of an out-of-bounds access to the days_in_month array due to a solver bug.)

--
Brian Mastenbrook
brian@...tenbrook.net
http://brian.mastenbrook.net/

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.