| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.11.1512072106560.3595@nanos> Date: Mon, 7 Dec 2015 21:15:45 +0100 (CET) From: Thomas Gleixner <tglx@...utronix.de> To: John Stultz <john.stultz@...aro.org> cc: Richard Cochran <richardcochran@...il.com>, Sasha Levin <sasha.levin@...cle.com>, lkml <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] time: verify time values in adjtimex ADJ_SETOFFSET to avoid overflow On Mon, 7 Dec 2015, John Stultz wrote: > On Sun, Dec 6, 2015 at 2:11 PM, Richard Cochran > <richardcochran@...il.com> wrote: > > The overflow is a latent problem, and the patch should: > > > > 1. return error in case (txc->time.tv_usec >= USEC_PER_SEC) > > 2. remove the redundant test in timekeeping_inject_offset. > > So we probably want to keep the check in timekeeping_inject_offset() > since there can be other users as well of that function. > > But its probably cleanest to add a check in ntp_validate_timex() > instead of where this patch does it. So instead of open coding the checks on both sites, can we please have an inline function with proper comments why time.tv_sec can be negative, something like adjtimex_timeval_is_valid() or such. Thanks, tglx -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists