[Toybox] sleep overflow

Elie De Brauwer eliedebrauwer at gmail.com
Wed Aug 15 05:48:51 PDT 2012 

Hello all,

Found a little bug in sleep, for insanely large values (so insane people 
might use them to sleep forever and they will be disappointed when 
forever means zero) sleep might return immediately ( config SLEEP_FLOAT 
is impact, config SLEEP and config USLEEP are not affected).


Now sleep (with floating point support) functions as follows:

edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  ./toybox 
sleep 24855d
nanosleep({2147472000, 0}, ^C <unfinished ...>
edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  ./toybox 
sleep 24856d
nanosleep({2147558400, 2147483648}, NULL) = -1 EINVAL (Invalid argument)

So it'd better not sleep longer than 68 years :D.

This is caused by an overflow in the argument parsing, if it exceeds 
INT_MAX (0x80000000 on 32 bit) nanosleep will start to consider certain 
variables as negative.  I've attached a patch which just tops this off 
to INT_MAX. With it, it behaves more or less  as 'real' sleep:

edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  ./toybox 
sleep 24856d
nanosleep({2147483647, 0}, ^C <unfinished ...>


edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  sleep 24856d
nanosleep({2147483647, 999999999}, ^C <unfinished ...>

(okay, one second offset, but let's not argue about that for the coming 
first 68 years). I would sleep much better tonight if somebody could 
also give this a spin on a 64 bit system.

Below proof that usleep and sleep function reasonably well.

* usleep:
edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  ./toybox 
usleep 500000000000000000000000000000000000000000000000000
nanosleep({2147, 483647000}, ^C <unfinished ...>

this because it bumps into the limits of the integer used)

  * sleep without floating point support

edb at lapedb:~/edb-stuff/toybox/toybox$ strace -e nanosleep  ./toybox 
sleep 5000000000000000
nanosleep({2147483647, 0}, ^C <unfinished ...>

same, bumps into the limits of int).


my 2 cents
E.

-- 
Elie De Brauwer
.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sleep_overflow.patch
Type: text/x-patch
Size: 590 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20120815/df992e79/attachment-0006.bin>

More information about the Toybox mailing list