Skip to content

kernel: sched: fix possible integer overflow in z_tick_sleep() #92996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

kernel: sched: fix possible integer overflow in z_tick_sleep() #92996

wants to merge 1 commit into from
+4 −6

Conversation

sudarsan-22
Copy link
Contributor

@sudarsan-22 sudarsan-22 commented Jul 11, 2025
edited
Loading

Fix Coverity CID 529867 (CWE-190): z_tick_sleep() may return a large tick count due to wraparound during unsigned tick subtraction.

This patch replaces unsigned subtraction with signed arithmetic to safely handle tick count wraparound and avoid returning incorrect values after timeout abortion.

Fixes: #92601

@sudarsan-22
kernel: sched: fix possible integer overflow in z_tick_sleep()
d2c0ba1 
Fix Coverity CID 529867 (CWE-190): z_tick_sleep() may return a large
tick count due to wraparound during unsigned tick subtraction.

This patch replaces unsigned subtraction with signed arithmetic to
safely handle tick count wraparound and avoid returning incorrect values
after timeout abortion.

Fixes: zephyrproject-rtos#92601

Signed-off-by: sudarsan N <sudarsansamy2002@gmail.com>
@sudarsan-22 sudarsan-22 force-pushed the fix/z_tick_sleep-integer-overflow-cid529867 branch from 925305e to d2c0ba1 Compare July 11, 2025 07:14
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

andyross
andyross requested changes Jul 13, 2025
View reviewed changes
Copy link
Contributor

@andyross andyross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks to me like this is going to generate the same code and the same operations: it does a uint32_t subtraction and manually checks for overflow by casting the results to int32_t and looking at the sign.

What's the argument for why Coverity won't just flag it again? If the argument is "Coverity is too dumb to notice this new code", then IMHO the proper solution is to filter the test and not just rearrange the code.

If you need to test for overflow in unsigned math in a robust way, the solution is generally something like:

if (a > b) return a - b else return 0;

@sudarsan-22
Copy link
Contributor Author

It looks to me like this is going to generate the same code and the same operations: it does a uint32_t subtraction and manually checks for overflow by casting the results to int32_t and looking at the sign.

What's the argument for why Coverity won't just flag it again? If the argument is "Coverity is too dumb to notice this new code", then IMHO the proper solution is to filter the test and not just rearrange the code.

If you need to test for overflow in unsigned math in a robust way, the solution is generally something like:

if (a > b) return a - b else return 0;

Thanks Andy for the review!

You're right — the updated code still performs unsigned subtraction internally, and it's possible that Coverity may flag this again despite the cast.

The explicit check you suggested using:

if (expected_wakeup_ticks > now) {
return expected_wakeup_ticks - now;
} else {
return 0;
}
which is ok ?

@sudarsan-22 sudarsan-22 requested a review from andyross July 17, 2025 09:30
@andyross
Copy link
Contributor

If you're able to run coverity locally, then the right answer is "whatever works to silence the error". If not, sticking to defined behavior is best, and what you wrote in your comment looks correct to me. Sleeping isn't in general a performance path so we don't need to care too much about generated code quality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ceolin ceolin Awaiting requested review from ceolin

@cfriedt cfriedt Awaiting requested review from cfriedt

@dcpleung dcpleung Awaiting requested review from dcpleung

@nashif nashif Awaiting requested review from nashif

@npitre npitre Awaiting requested review from npitre

@peter-mitsis peter-mitsis Awaiting requested review from peter-mitsis

@TaiJuWu TaiJuWu Awaiting requested review from TaiJuWu

@andyross andyross Awaiting requested review from andyross

Requested changes must be addressed to merge this pull request.

Assignees

@andyross andyross

@peter-mitsis peter-mitsis

Labels
area: Kernel
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Coverity CID: 529867] Overflowed return value in kernel/sched.c
3 participants
@sudarsan-22 @andyross @peter-mitsis