[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240507-b4-sio-ntp-usec-v1-1-15003fc9c2b4@google.com>
Date: Tue, 07 May 2024 04:34:13 +0000
From: Justin Stitt <justinstitt@...gle.com>
To: John Stultz <jstultz@...gle.com>, Thomas Gleixner <tglx@...utronix.de>,
Stephen Boyd <sboyd@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Bill Wendling <morbo@...gle.com>
Cc: linux-kernel@...r.kernel.org, llvm@...ts.linux.dev,
linux-hardening@...r.kernel.org, Justin Stitt <justinstitt@...gle.com>
Subject: [PATCH] ntp: remove accidental integer wrap-around
Using syzkaller alongside the newly reintroduced signed integer overflow
sanitizer spits out this report:
[ 138.454979] ------------[ cut here ]------------
[ 138.458089] UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16
[ 138.462134] 9223372036854775807 + 500 cannot be represented in type 'long'
[ 138.466234] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0-rc2-00038-gc0a509640e93-dirty #10
[ 138.471498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 138.477110] Call Trace:
[ 138.478657] <IRQ>
[ 138.479964] dump_stack_lvl+0x93/0xd0
[ 138.482276] handle_overflow+0x171/0x1b0
[ 138.484699] second_overflow+0x2d6/0x500
[ 138.487133] accumulate_nsecs_to_secs+0x60/0x160
[ 138.489931] timekeeping_advance+0x1fe/0x890
[ 138.492535] update_wall_time+0x10/0x30
..
Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").
Let's introduce a new macro and use that against NTP_PHASE_LIMIT to
properly limit the max size of time_maxerror without overflowing during
the check itself.
Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/354
Cc: linux-hardening@...r.kernel.org
Signed-off-by: Justin Stitt <justinstitt@...gle.com>
---
include/linux/timex.h | 1 +
kernel/time/ntp.c | 8 ++++----
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/include/linux/timex.h b/include/linux/timex.h
index 3871b06bd302..976490a06915 100644
--- a/include/linux/timex.h
+++ b/include/linux/timex.h
@@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void);
#define MINSEC 256 /* min interval between updates (s) */
#define MAXSEC 2048 /* max interval between updates (s) */
#define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max. dispersion */
+#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microseconds */
/*
* kernel variables
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 406dccb79c2b..19027b6d0827 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -454,12 +454,12 @@ int second_overflow(time64_t secs)
}
- /* Bump the maxerror field */
- time_maxerror += MAXFREQ / NSEC_PER_USEC;
- if (time_maxerror > NTP_PHASE_LIMIT) {
+ /* Bump the maxerror field, making sure not to exceed NTP_PHASE_LIMIT */
+ if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) {
time_maxerror = NTP_PHASE_LIMIT;
time_status |= STA_UNSYNC;
- }
+ } else
+ time_maxerror += NTP_MAXFREQ_USEC;
/* Compute the phase adjustment for the next second */
tick_length = tick_length_base;
---
base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc
change-id: 20240507-b4-sio-ntp-usec-1a3ab67bdce1
Best regards,
--
Justin Stitt <justinstitt@...gle.com>
Powered by blists - more mailing lists