[PATCH v2 0/2] time: tip/timers/urgent: Validate potential mult overflows

[PATCH v2 0/2] time: tip/timers/urgent: Validate potential mult overflows

[John Stultz]

Hey Ingo, Thomas,

 Here are two mult overflow validation fixes from Sasha for
tip/timers/urgent that I didn't manage to send out before the holidays.

For v2 I've added the mili->micro fix Andy noticed.

Let me know if you have any objections.

thanks
-john

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Andy Lutomirski <luto@amacapital.net>

If you want, they can be pulled via:

The following changes since commit b2776bf7149bddd1f4161f14f79520f17fc1d71d:

  Linux 3.18 (2014-12-07 14:21:05 -0800)

are available in the git repository at:

  https://git.linaro.org/people/john.stultz/linux.git fortglx/3.19-stable/time

for you to fetch changes up to 5e5aeb4367b450a28f447f6d5ab57d8f2ab16a5f:

  time: adjtimex: Validate the ADJ_FREQUENCY values (2015-01-07 09:50:32 -0800)

----------------------------------------------------------------
Sasha Levin (2):
      time: settimeofday: Validate the values of tv from user
      time: adjtimex: Validate the ADJ_FREQUENCY values

 include/linux/time.h | 13 +++++++++++++
 kernel/time/ntp.c    |  7 +++++++
 kernel/time/time.c   |  4 ++++
 3 files changed, 24 insertions(+)

-- 
1.9.1

[PATCH 1/2] time: settimeofday: Validate the values of tv from user

[John Stultz]

From: Sasha Levin <sasha.levin@oracle.com>

An unvalidated user input is multiplied by a constant, which can result in
an undefined behaviour for large values. While this is validated later,
we should avoid triggering undefined behaviour.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable <stable@vger.kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[jstultz: include trivial milisecond->microsecond correction noticed
by Andy]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 include/linux/time.h | 13 +++++++++++++
 kernel/time/time.c   |  4 ++++
 2 files changed, 17 insertions(+)

diff --git a/include/linux/time.h b/include/linux/time.h
index 8c42cf8..5989b0e 100644
--- a/include/linux/time.h
+++ b/include/linux/time.h
@@ -99,6 +99,19 @@ static inline bool timespec_valid_strict(const struct timespec *ts)
 	return true;
 }
 
+static inline bool timeval_valid(const struct timeval *tv)
+{
+	/* Dates before 1970 are bogus */
+	if (tv->tv_sec < 0)
+		return false;
+
+	/* Can't have more microseconds then a second */
+	if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC)
+		return false;
+
+	return true;
+}
+
 extern struct timespec timespec_trunc(struct timespec t, unsigned gran);
 
 #define CURRENT_TIME		(current_kernel_time())
diff --git a/kernel/time/time.c b/kernel/time/time.c
index a9ae20f..22d5d3b 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -196,6 +196,10 @@ SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv,
 	if (tv) {
 		if (copy_from_user(&user_tv, tv, sizeof(*tv)))
 			return -EFAULT;
+
+		if (!timeval_valid(&user_tv))
+			return -EINVAL;
+
 		new_ts.tv_sec = user_tv.tv_sec;
 		new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC;
 	}
-- 
1.9.1

Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user

[Greg KH]

On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> An unvalidated user input is multiplied by a constant, which can result in
> an undefined behaviour for large values. While this is validated later,
> we should avoid triggering undefined behaviour.
> 
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: stable <stable@vger.kernel.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> [jstultz: include trivial milisecond->microsecond correction noticed
> by Andy]
> Signed-off-by: John Stultz <john.stultz@linaro.org>
> ---
>  include/linux/time.h | 13 +++++++++++++
>  kernel/time/time.c   |  4 ++++
>  2 files changed, 17 insertions(+)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
for how to do this properly.

</formletter>

Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user

[John Stultz]

On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote:
> On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote:
>> From: Sasha Levin <sasha.levin@oracle.com>
>>
>> An unvalidated user input is multiplied by a constant, which can result in
>> an undefined behaviour for large values. While this is validated later,
>> we should avoid triggering undefined behaviour.
>>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@kernel.org>
>> Cc: stable <stable@vger.kernel.org>
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
>> [jstultz: include trivial milisecond->microsecond correction noticed
>> by Andy]
>> Signed-off-by: John Stultz <john.stultz@linaro.org>
>> ---
>>  include/linux/time.h | 13 +++++++++++++
>>  kernel/time/time.c   |  4 ++++
>>  2 files changed, 17 insertions(+)
>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
> for how to do this properly.
>
> </formletter>

Hrm. I'm not quite sure which rule I'm running afoul here.

Does this seem too much like a theoretical issue and not like enough
of a "oh, that's not good" issue?

thanks
-john

Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user

[Sasha Levin]

On 01/07/2015 02:02 PM, John Stultz wrote:
> On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote:
>> On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote:
>>> From: Sasha Levin <sasha.levin@oracle.com>
>>>
>>> An unvalidated user input is multiplied by a constant, which can result in
>>> an undefined behaviour for large values. While this is validated later,
>>> we should avoid triggering undefined behaviour.
>>>
>>> Cc: Thomas Gleixner <tglx@linutronix.de>
>>> Cc: Ingo Molnar <mingo@kernel.org>
>>> Cc: stable <stable@vger.kernel.org>
>>> Cc: Andy Lutomirski <luto@amacapital.net>
>>> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
>>> [jstultz: include trivial milisecond->microsecond correction noticed
>>> by Andy]
>>> Signed-off-by: John Stultz <john.stultz@linaro.org>
>>> ---
>>>  include/linux/time.h | 13 +++++++++++++
>>>  kernel/time/time.c   |  4 ++++
>>>  2 files changed, 17 insertions(+)
>>
>> <formletter>
>>
>> This is not the correct way to submit patches for inclusion in the
>> stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
>> for how to do this properly.
>>
>> </formletter>
> 
> Hrm. I'm not quite sure which rule I'm running afoul here.
> 
> Does this seem too much like a theoretical issue and not like enough
> of a "oh, that's not good" issue?

I suspect it's something more like "Cc: stable <stable@vger.kernel.org>" vs
"Cc: stable@vger.kernel.org", but not really sure.


Thanks,
Sasha

Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user

[Greg KH]

On Wed, Jan 07, 2015 at 11:02:01AM -0800, John Stultz wrote:
> On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote:
> > On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote:
> >> From: Sasha Levin <sasha.levin@oracle.com>
> >>
> >> An unvalidated user input is multiplied by a constant, which can result in
> >> an undefined behaviour for large values. While this is validated later,
> >> we should avoid triggering undefined behaviour.
> >>
> >> Cc: Thomas Gleixner <tglx@linutronix.de>
> >> Cc: Ingo Molnar <mingo@kernel.org>
> >> Cc: stable <stable@vger.kernel.org>
> >> Cc: Andy Lutomirski <luto@amacapital.net>
> >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> >> [jstultz: include trivial milisecond->microsecond correction noticed
> >> by Andy]
> >> Signed-off-by: John Stultz <john.stultz@linaro.org>
> >> ---
> >>  include/linux/time.h | 13 +++++++++++++
> >>  kernel/time/time.c   |  4 ++++
> >>  2 files changed, 17 insertions(+)
> >
> > <formletter>
> >
> > This is not the correct way to submit patches for inclusion in the
> > stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
> > for how to do this properly.
> >
> > </formletter>
> 
> Hrm. I'm not quite sure which rule I'm running afoul here.
> 
> Does this seem too much like a theoretical issue and not like enough
> of a "oh, that's not good" issue?

No, crap, my fault, I messed up on these, you are doing this just fine,
I'm not awake this morning...

/me goes off to get more coffee.

greg k-h

[PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values

[John Stultz]

From: Sasha Levin <sasha.levin@oracle.com>

Verify that the frequency value from userspace is valid and makes sense.

Unverified values can cause overflows later on.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable <stable@vger.kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[jstultz: Fix up bug for negative values and drop redunent cap check]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 kernel/time/ntp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 87a346f..28bf91c 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -633,6 +633,13 @@ int ntp_validate_timex(struct timex *txc)
 	if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
 		return -EPERM;
 
+	if (txc->modes & ADJ_FREQUENCY) {
+		if (LONG_MIN / PPM_SCALE > txc->freq)
+			return -EINVAL;
+		if (LONG_MAX / PPM_SCALE < txc->freq)
+			return -EINVAL;
+	}
+
 	return 0;
 }
 
-- 
1.9.1

Re: [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values

[Greg KH]

On Wed, Jan 07, 2015 at 10:12:20AM -0800, John Stultz wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> Verify that the frequency value from userspace is valid and makes sense.
> 
> Unverified values can cause overflows later on.
> 
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: stable <stable@vger.kernel.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> [jstultz: Fix up bug for negative values and drop redunent cap check]
> Signed-off-by: John Stultz <john.stultz@linaro.org>
> ---
>  kernel/time/ntp.c | 7 +++++++
>  1 file changed, 7 insertions(+)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
for how to do this properly.

</formletter>

Re: [PATCH v2 0/2] time: tip/timers/urgent: Validate potential mult overflows

[John Stultz]

On Wed, Jan 7, 2015 at 10:12 AM, John Stultz <john.stultz@linaro.org> wrote:
> Hey Ingo, Thomas,
>
>  Here are two mult overflow validation fixes from Sasha for
> tip/timers/urgent that I didn't manage to send out before the holidays.
>
> For v2 I've added the mili->micro fix Andy noticed.
>
> Let me know if you have any objections.

Thomas, Ingo,
  Just wanted to ping you here, since I've not seen any feedback here.

thanks
-john

Re: [PATCH v2 0/2] time: tip/timers/urgent: Validate potential mult overflows

[Thomas Gleixner]

On Wed, 14 Jan 2015, John Stultz wrote:
> On Wed, Jan 7, 2015 at 10:12 AM, John Stultz <john.stultz@linaro.org> wrote:
> Thomas, Ingo,
>   Just wanted to ping you here, since I've not seen any feedback here.

Got caught in my huge backlog. Processing right now.

Thanks,

	tglx