From d2c0ba1e1a45b03c953aede55ceb492d481f0f44 Mon Sep 17 00:00:00 2001
From: sudarsan N <sudarsansamy2002@gmail.com>
Date: Fri, 11 Jul 2025 12:40:05 +0530
Subject: [PATCH] kernel: sched: fix possible integer overflow in
 z_tick_sleep()

Fix Coverity CID 529867 (CWE-190): z_tick_sleep() may return a large
tick count due to wraparound during unsigned tick subtraction.

This patch replaces unsigned subtraction with signed arithmetic to
safely handle tick count wraparound and avoid returning incorrect values
after timeout abortion.

Fixes: #92601

Signed-off-by: sudarsan N <sudarsansamy2002@gmail.com>
---
 kernel/sched.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/kernel/sched.c b/kernel/sched.c
index fce7fc40fe98d..b73a72add4483 100644
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -1117,13 +1117,11 @@ static int32_t z_tick_sleep(k_timeout_t timeout)
 	}
 
 	/* We require a 32 bit unsigned subtraction to care a wraparound */
-	uint32_t left_ticks = expected_wakeup_ticks - sys_clock_tick_get_32();
+	uint32_t now = sys_clock_tick_get_32();
+	int32_t remaining = (int32_t)(expected_wakeup_ticks - now);
 
-	/* To handle a negative value correctly, once type-cast it to signed 32 bit */
-	k_ticks_t ticks = (k_ticks_t)(int32_t)left_ticks;
-
-	if (ticks > 0) {
-		return ticks;
+	if (remaining > 0) {
+		return (k_ticks_t)remaining;
 	}
 
 	return 0;