times(2) misbehaviour
Denys Vlasenko
vda.linux at googlemail.com
Tue Feb 2 13:41:32 UTC 2010
On Sun, Jan 31, 2010 at 8:33 PM, Julien Boibessot
<julien.boibessot at free.fr> wrote:
> Hello,
>
> after a big bug hunt we also found that the implementation of the
> "times" system call in uClibc 0.9.29/0.9.30 is problematic on some 32
> bits architectures (arm926 in our case); like it was reported 2 years
> ago by Will.
>
> The fact that uClibc considers some Linux sys_times() return values as
> errors makes some user space applications become crazy (Qt in our case):
> when Linux "times" syscall's return value is inside uClibc errors range
> (cf INTERNAL_SYSCALL_ERROR_P macro), uClibc forward a (-1) error code to
> caller. An application may freeze during many seconds (40 if system tick
> is 10ms), if it's event handling relies on times() accuracy.
>
> Could maintainers of uClibc get inspired from that patch and do a
> correction for this problem please ?
Your patch seems to go to great lengths to catch
times(bad_pointer), right? -
+ clock_t ret = INTERNAL_SYSCALL (times, err, 1, buf);
+ if (INTERNAL_SYSCALL_ERROR_P (ret, err)
+ && __builtin_expect (INTERNAL_SYSCALL_ERRNO (ret, err) == EFAULT, 0))
+ {
+ /* This might be an error or not. For architectures which have
+ no separate return value and error indicators we cannot
+ distinguish a return value of -1 from an error. Do it the
+ hard way. We crash applications which pass in an invalid BUF
+ pointer. */
+#define touch(v) \
+ do { \
+ clock_t temp = v; \
+ asm volatile ("" : "+r" (temp)); \
+ v = temp; \
+ } while (0)
+ touch (buf->tms_utime);
+ touch (buf->tms_stime);
+ touch (buf->tms_cutime);
+ touch (buf->tms_cstime);
...
Why bother? The program which passes bogus pointer to times()
is likely to crash anyway, say, when it will try to access
the data using that pointer.
Alternative (attached) patch simply removes error return check.
In assembly, the diff is:
Disassembly of section .text.__GI_times:
@@ -43,13 +42,7 @@
53 push %ebx
89 fb mov %edi,%ebx
b8 2b 00 00 00 mov $0x2b,%eax
cd 80 int $0x80
5b pop %ebx
-3d 00 f0 ff ff cmp $0xfffff000,%eax
-76 0a jbe 21 <__GI_times+0x21>
-f7 d8 neg %eax
-a3 00 00 00 00 mov %eax,0x0
- R_386_32 errno
-83 c8 ff or $0xffffffff,%eax
5f pop %edi
c3 ret
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9.patch
Type: application/octet-stream
Size: 2167 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/uclibc/attachments/20100202/64498943/attachment.obj>
More information about the uClibc
mailing list