From 4e66f93ee8abfe1fbb37bde4a07834a274ce3cb8 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Tue, 14 May 2024 23:04:30 +0800 Subject: [PATCH] um: time-travel: fix time corruption stable inclusion from stable-v5.15.149 commit 0c7478a2da3f5fe106b4658338873d50c86ac7ab category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DNRR CVE: CVE-2023-52633 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0c7478a2da3f5fe106b4658338873d50c86ac7ab -------------------------------- [ Upstream commit abe4eaa8618bb36c2b33e9cdde0499296a23448c ] In 'basic' time-travel mode (without =inf-cpu or =ext), we still get timer interrupts. These can happen at arbitrary points in time, i.e. while in timer_read(), which pushes time forward just a little bit. Then, if we happen to get the interrupt after calculating the new time to push to, but before actually finishing that, the interrupt will set the time to a value that's incompatible with the forward, and we'll crash because time goes backwards when we do the forwarding. Fix this by reading the time_travel_time, calculating the adjustment, and doing the adjustment all with interrupts disabled. Reported-by: Vincent Whitchurch Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin Signed-off-by: Guo Mengqi --- arch/um/kernel/time.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c index 8dafc3f2add4..a853d8a29476 100644 --- a/arch/um/kernel/time.c +++ b/arch/um/kernel/time.c @@ -374,9 +374,29 @@ static void time_travel_update_time(unsigned long long next, bool idle) time_travel_del_event(&ne); } +static void time_travel_update_time_rel(unsigned long long offs) +{ + unsigned long flags; + + /* + * Disable interrupts before calculating the new time so + * that a real timer interrupt (signal) can't happen at + * a bad time e.g. after we read time_travel_time but + * before we've completed updating the time. + */ + local_irq_save(flags); + time_travel_update_time(time_travel_time + offs, false); + local_irq_restore(flags); +} + void time_travel_ndelay(unsigned long nsec) { - time_travel_update_time(time_travel_time + nsec, false); + /* + * Not strictly needed to use _rel() version since this is + * only used in INFCPU/EXT modes, but it doesn't hurt and + * is more readable too. + */ + time_travel_update_time_rel(nsec); } EXPORT_SYMBOL(time_travel_ndelay); @@ -479,7 +499,11 @@ static int time_travel_connect_external(const char *socket) #define time_travel_start 0 #define time_travel_time 0 -static inline void time_travel_update_time(unsigned long long ns, bool retearly) +static inline void time_travel_update_time(unsigned long long ns, bool idle) +{ +} + +static inline void time_travel_update_time_rel(unsigned long long offs) { } @@ -624,9 +648,7 @@ static u64 timer_read(struct clocksource *cs) * to return from time_travel_update_time(). */ if (!irqs_disabled() && !in_interrupt() && !in_softirq()) - time_travel_update_time(time_travel_time + - TIMER_MULTIPLIER, - false); + time_travel_update_time_rel(TIMER_MULTIPLIER); return time_travel_time / TIMER_MULTIPLIER; } -- Gitee