[tip: timers/urgent] time: Fix off-by-one in compat settimeofday() usec validation
From: tip-bot2 for Wang Yan
Date: Mon Jun 22 2026 - 07:24:13 EST
The following commit has been merged into the timers/urgent branch of tip:
Commit-ID: 269f2b43fae692d1f3988c9f888a6301aa537b82
Gitweb: https://git.kernel.org/tip/269f2b43fae692d1f3988c9f888a6301aa537b82
Author: Wang Yan <wangyan01@xxxxxxxxxx>
AuthorDate: Mon, 22 Jun 2026 18:33:48 +08:00
Committer: Thomas Gleixner <tglx@xxxxxxxxxx>
CommitterDate: Mon, 22 Jun 2026 13:20:20 +02:00
time: Fix off-by-one in compat settimeofday() usec validation
The compat version of settimeofday() uses '>' instead of '>=' when
validating tv_usec against USEC_PER_SEC, allowing the value 1000000 to pass
the check. After the subsequent conversion to nanoseconds (tv_nsec *=
NSEC_PER_USEC), this results in tv_nsec == NSEC_PER_SEC, which violates the
timespec invariant that tv_nsec must be strictly less than NSEC_PER_SEC.
The native settimeofday() was already fixed in commit ce4abda5e126 ("time:
Fix off-by-one in settimeofday() usec validation"), but the compat
counterpart was missed.
Fix it by using '>=' to reject tv_usec values outside the valid range [0,
USEC_PER_SEC - 1].
Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
Signed-off-by: Wang Yan <wangyan01@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxx>
Acked-by: Arnd Bergmann <arnd@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Link: https://patch.msgid.link/20260622103348.120255-1-wangyan01@xxxxxxxxxx
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 771cef8..0dd63a9 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -251,7 +251,7 @@ COMPAT_SYSCALL_DEFINE2(settimeofday, struct old_timeval32 __user *, tv,
get_user(new_ts.tv_nsec, &tv->tv_usec))
return -EFAULT;
- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
+ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
return -EINVAL;
new_ts.tv_nsec *= NSEC_PER_USEC;