| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251025160905.3857885-461-sashal@kernel.org>
Date: Sat, 25 Oct 2025 12:01:32 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
stable@...r.kernel.org
Cc: Miroslav Lichvar <mlichvar@...hat.com>,
Richard Cochran <richardcochran@...il.com>,
Thomas Gleixner <tglx@...utronix.de>,
John Stultz <jstultz@...gle.com>,
Arnd Bergmann <arnd@...db.de>,
Vadim Fedorenko <vadim.fedorenko@...ux.dev>,
Jakub Kicinski <kuba@...nel.org>,
Sasha Levin <sashal@...nel.org>,
andrew+netdev@...n.ch,
davem@...emloft.net,
edumazet@...gle.com,
pabeni@...hat.com,
netdev@...r.kernel.org
Subject: [PATCH AUTOSEL 6.17-5.15] ptp: Limit time setting of PTP clocks
From: Miroslav Lichvar <mlichvar@...hat.com>
[ Upstream commit 5a8c02a6bf52b1cf9cfb7868a8330f7c3c6aebe9 ]
Networking drivers implementing PTP clocks and kernel socket code
handling hardware timestamps use the 64-bit signed ktime_t type counting
nanoseconds. When a PTP clock reaches the maximum value in year 2262,
the timestamps returned to applications will overflow into year 1667.
The same thing happens when injecting a large offset with
clock_adjtime(ADJ_SETOFFSET).
The commit 7a8e61f84786 ("timekeeping: Force upper bound for setting
CLOCK_REALTIME") limited the maximum accepted value setting the system
clock to 30 years before the maximum representable value (i.e. year
2232) to avoid the overflow, assuming the system will not run for more
than 30 years.
Enforce the same limit for PTP clocks. Don't allow negative values and
values closer than 30 years to the maximum value. Drivers may implement
an even lower limit if the hardware registers cannot represent the whole
interval between years 1970 and 2262 in the required resolution.
Signed-off-by: Miroslav Lichvar <mlichvar@...hat.com>
Cc: Richard Cochran <richardcochran@...il.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: John Stultz <jstultz@...gle.com>
Cc: Arnd Bergmann <arnd@...db.de>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@...ux.dev>
Link: https://patch.msgid.link/20250828103300.1387025-1-mlichvar@redhat.com
Signed-off-by: Jakub Kicinski <kuba@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
LLM Generated explanations, may be completely bogus:
YES
- Fixes a real bug: Prevents PTP clocks and timestamping from
overflowing 64-bit signed ktime_t (wrap to year 1667) when a clock is
set near the representable maximum or when a large offset is injected
via ADJ_SETOFFSET. This is user-visible and can be triggered
immediately by userspace with large offsets, not only in year 2262.
- Small, contained change in the PTP core:
- Validates absolute settime requests using the established helper.
Added check in `ptp_clock_settime()` to reject invalid targets:
`drivers/ptp/ptp_clock.c:104`.
- Validates relative ADJ_SETOFFSET by first reading current time,
adding the offset, then rejecting if the resulting time would be
invalid: `ptp_clock_gettime()` call `drivers/ptp/ptp_clock.c:151`,
compute sum `drivers/ptp/ptp_clock.c:154`, and validate with
`timespec64_valid_settod()` `drivers/ptp/ptp_clock.c:155`.
- Aligns PTP behavior with system clock rules: Uses the same upper-bound
policy as CLOCK_REALTIME by calling `timespec64_valid_settod()`, which
rejects negative times and values within 30 years of ktime’s max
(`include/linux/time64.h:118`). This matches the prior “timekeeping:
Force upper bound for setting CLOCK_REALTIME” change and ensures
consistent semantics across clocks.
- Minimal regression risk:
- Only rejects out-of-range inputs that previously produced overflowed
timestamps; returns `-EINVAL` instead of silently wrapping.
- No architectural changes; no driver APIs change; ADJ_OFFSET and
ADJ_FREQUENCY paths are untouched (besides existing range checks).
- Matches existing kernel timekeeping validation patterns (system
clock already enforces the same limits).
- Touches a non-core subsystem (PTP POSIX clock ops) and is
straightforward to review and backport.
- Backport note: The change depends on `timespec64_valid_settod()` and
related defines in `include/linux/time64.h`. If a target stable branch
predates this helper, a trivial adaptation (or backport of the helper)
is needed.
Given the clear correctness benefit, minimal scope, and alignment with
existing timekeeping policy, this is a good candidate for stable
backport.
drivers/ptp/ptp_clock.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 1cc06b7cb17ef..3e0726c6f55b3 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -100,6 +100,9 @@ static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp
return -EBUSY;
}
+ if (!timespec64_valid_settod(tp))
+ return -EINVAL;
+
return ptp->info->settime64(ptp->info, tp);
}
@@ -130,7 +133,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx)
ops = ptp->info;
if (tx->modes & ADJ_SETOFFSET) {
- struct timespec64 ts;
+ struct timespec64 ts, ts2;
ktime_t kt;
s64 delta;
@@ -143,6 +146,14 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx)
if ((unsigned long) ts.tv_nsec >= NSEC_PER_SEC)
return -EINVAL;
+ /* Make sure the offset is valid */
+ err = ptp_clock_gettime(pc, &ts2);
+ if (err)
+ return err;
+ ts2 = timespec64_add(ts2, ts);
+ if (!timespec64_valid_settod(&ts2))
+ return -EINVAL;
+
kt = timespec64_to_ktime(ts);
delta = ktime_to_ns(kt);
err = ops->adjtime(ops, delta);
--
2.51.0
Powered by blists - more mailing lists