[PATCH v3] panic: prevent panic_timeout * 1000 from overflow
From: Changming Liu
Date: Thu Jul 16 2020 - 19:16:25 EST
Since panic_timeout is an s32 integer passed in through sysctl, the
loop boundary panic_timeout * 1000 could overflow and result in
a zero-delay panic when panic_timeout is greater than INT_MAX/1000.
Fix this by elevating the precision of the loop boundary via
assigning the result to a u64 integer, also in case the loop
counter i might never be greater than u64 timeout = panic_timeout*1000,
elevate its precision to u64(timer) as well. The same applies to
timer_next replacing i_next which is initialized to 0.
Signed-off-by: Changming Liu <charley.ashbringer@xxxxxxxxx>
---
Changes in v3:
- change the loop in panic, instead of change the sysctl
- avoid using 64-bit division, doing 64-bit mult instead
kernel/panic.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/kernel/panic.c b/kernel/panic.c
index e2157ca..ef6cd57 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -313,13 +313,16 @@ void panic(const char *fmt, ...)
* Delay timeout seconds before rebooting the machine.
* We can't use the "normal" timers since we just panicked.
*/
+ u64 timeout = panic_timeout * 1000ULL; /* avoid overflow */
+ u64 timer, timer_next = 0;
+
pr_emerg("Rebooting in %d seconds..\n", panic_timeout);
- for (i = 0; i < panic_timeout * 1000; i += PANIC_TIMER_STEP) {
+ for (timer = 0; timer < timeout; timer += PANIC_TIMER_STEP) {
touch_nmi_watchdog();
- if (i >= i_next) {
- i += panic_blink(state ^= 1);
- i_next = i + 3600 / PANIC_BLINK_SPD;
+ if (timer >= timer_next) {
+ timer += panic_blink(state ^= 1);
+ timer_next = timer + 3600 / PANIC_BLINK_SPD;
}
mdelay(PANIC_TIMER_STEP);
}
--
2.7.4