lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 14 Mar 2012 22:16:32 +0100 (CET)
From:	Thomas Gleixner <tglx@...utronix.de>
To:	Sasha Levin <levinsasha928@...il.com>
cc:	johnstul@...ibm.com, linux-kernel@...r.kernel.org, davej@...hat.com
Subject: Re: [PATCH] ntp: Fix integer overflow when setting time

On Wed, 14 Mar 2012, Sasha Levin wrote:

> On 64bit machines, the difference between 'time_reftime' and current time
> is 8 bits, this variable is used as the divisor in div_s64() to calculate
> the frequency, but div_s64() assumes the divisor is 32bits.

Why is that delta 8 bits???? 

> This means that we are able to trigger a division by zero if the difference
> has 0's in it's lower bytes. This way it would skip the sanity checks before
> the div_64s() but when it gets to that div it would get truncated and
> become 0.

This does not make sense at all.

So what I assume you are talking about is, that the divisor (i.e. the
delta) is greater than (1 << 32) - 1 and all 32 lower bits are 0, right ?

> diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
> index 17fb1b9..efe894a 100644
> --- a/kernel/time/ntp.c
> +++ b/kernel/time/ntp.c
> @@ -289,7 +289,7 @@ static inline s64 ntp_update_offset_fll(s64 offset64, long secs)
>  
>  	time_status |= STA_MODE;
> 
> -	return div_s64(offset64 << (NTP_SCALE_SHIFT - SHIFT_FLL), secs);
> +	return div64_s64(offset64 << (NTP_SCALE_SHIFT - SHIFT_FLL), secs);

This needs a comment and it would be nice to avoid the 64 division on
32bit machines. Something like:

#if BITS_PER_LONG == 64 
# define div64_long(x,y)	div64_s64(x,y)
#else
# define div64_long(x,y)	div_s64(x,y)
#endif

Nice catch, though it took me a while to grok the changelog, as the 8
bit case is catched by the MINSEC check. Please be more careful about
that.

Thanks,

	tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ