[gcc r10-9030] libstdc++: Avoid 32-bit time_t overflows in futex calls

Mon Nov 16 21:15:20 GMT 2020

https://gcc.gnu.org/g:e7ca3a43842129084426faba865503ee7d42ce48

commit r10-9030-ge7ca3a43842129084426faba865503ee7d42ce48
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Fri Nov 13 15:19:04 2020 +0000

    libstdc++: Avoid 32-bit time_t overflows in futex calls
    
    The existing code doesn't check whether the chrono::seconds value is out
    of range of time_t. When using a timeout before the epoch (with a
    negative value) subtracting the current time (as time_t) and then
    assigning it to a time_t can overflow to a large positive value. This
    means that we end up waiting several years even though the specific
    timeout was in the distant past.
    
    We do have a check for negative timeouts, but that happens after the
    conversion to time_t so happens after the overflow.
    
    libstdc++-v3/ChangeLog:
    
            * src/c++11/futex.cc (relative_timespec): New function to
            create relative time from two absolute times.
            (__atomic_futex_unsigned_base::_M_futex_wait_until): Use
            relative_timespec.
    
    (cherry picked from commit b54bd045ae908b8ace5c50ce1bdc8d472d48a514)

Diff:
---
 libstdc++-v3/src/c++11/futex.cc | 56 +++++++++++++++++++++++++++++++++--------
 1 file changed, 45 insertions(+), 11 deletions(-)

diff --git a/libstdc++-v3/src/c++11/futex.cc b/libstdc++-v3/src/c++11/futex.cc
index c9de11a7ec7..5d68dafa052 100644
--- a/libstdc++-v3/src/c++11/futex.cc
+++ b/libstdc++-v3/src/c++11/futex.cc
@@ -31,6 +31,7 @@
 #include <unistd.h>
 #include <sys/time.h>
 #include <errno.h>
+#include <ext/numeric_traits.h>
 #include <debug/debug.h>
 
 // Constants for the wait/wake futex syscall operations
@@ -41,10 +42,48 @@ namespace std _GLIBCXX_VISIBILITY(default)
 {
 _GLIBCXX_BEGIN_NAMESPACE_VERSION
 
+namespace
+{
+  // Return the relative duration from (now_s + now_ns) to (abs_s + abs_ns)
+  // as a timespec.
+  struct timespec
+  relative_timespec(chrono::seconds abs_s, chrono::nanoseconds abs_ns,
+		    time_t now_s, long now_ns)
+  {
+    struct timespec rt;
+
+    // Did we already time out?
+    if (now_s > abs_s.count())
+      {
+	rt.tv_sec = -1;
+	return rt;
+      }
+
+    auto rel_s = abs_s.count() - now_s;
+
+    // Avoid overflows
+    if (rel_s > __gnu_cxx::__int_traits<time_t>::__max)
+      rel_s = __gnu_cxx::__int_traits<time_t>::__max;
+    else if (rel_s < __gnu_cxx::__int_traits<time_t>::__min)
+      rel_s = __gnu_cxx::__int_traits<time_t>::__min;
+
+    // Convert the absolute timeout value to a relative timeout
+    rt.tv_sec = rel_s;
+    rt.tv_nsec = abs_ns.count() - now_ns;
+    if (rt.tv_nsec < 0)
+      {
+	rt.tv_nsec += 1000000000;
+	--rt.tv_sec;
+      }
+
+    return rt;
+  }
+} // namespace
+
   bool
-  __atomic_futex_unsigned_base::_M_futex_wait_until(unsigned *__addr,
-      unsigned __val,
-      bool __has_timeout, chrono::seconds __s, chrono::nanoseconds __ns)
+  __atomic_futex_unsigned_base::
+  _M_futex_wait_until(unsigned *__addr, unsigned __val, bool __has_timeout,
+		      chrono::seconds __s, chrono::nanoseconds __ns)
   {
     if (!__has_timeout)
       {
@@ -60,15 +99,10 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
       {
 	struct timeval tv;
 	gettimeofday (&tv, NULL);
+
 	// Convert the absolute timeout value to a relative timeout
-	struct timespec rt;
-	rt.tv_sec = __s.count() - tv.tv_sec;
-	rt.tv_nsec = __ns.count() - tv.tv_usec * 1000;
-	if (rt.tv_nsec < 0)
-	  {
-	    rt.tv_nsec += 1000000000;
-	    --rt.tv_sec;
-	  }
+	auto rt = relative_timespec(__s, __ns, tv.tv_sec, tv.tv_usec * 1000);
+
 	// Did we already time out?
 	if (rt.tv_sec < 0)
 	  return false;
