[PATCH v2] panic: prevent panic_timeout * 1000 from overflow

From: Changming
Date: Sat Jul 11 2020 - 01:17:54 EST


From: Changming Liu <charley.ashbringer@xxxxxxxxx>

Since panic_timeout is an integer passed-in through sysctl,
the loop boundary panic_timeout * 1000 could overflow and
result in a zero-delay panic when panic_timeout is greater
than INT_MAX/1000.

Fix this by moving 1000 to the left, also in case i/1000
might never be greater than panic_timeout, change i to
long long so that it strictly has more bits.

Signed-off-by: Changming Liu <charley.ashbringer@xxxxxxxxx>
---
Changes in v2:
- change the loop in panic, instead of change the sysctl

kernel/panic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/panic.c b/kernel/panic.c
index e2157ca387c8..941848aac0ee 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -178,7 +178,8 @@ void panic(const char *fmt, ...)
{
static char buf[1024];
va_list args;
- long i, i_next = 0, len;
+ long long i;
+ long i_next = 0, len;
int state = 0;
int old_cpu, this_cpu;
bool _crash_kexec_post_notifiers = crash_kexec_post_notifiers;
@@ -315,7 +316,7 @@ void panic(const char *fmt, ...)
*/
pr_emerg("Rebooting in %d seconds..\n", panic_timeout);

- for (i = 0; i < panic_timeout * 1000; i += PANIC_TIMER_STEP) {
+ for (i = 0; i / 1000 < panic_timeout; i += PANIC_TIMER_STEP) {
touch_nmi_watchdog();
if (i >= i_next) {
i += panic_blink(state ^= 1);
--
2.17.1