From: Thomas Gleixner <tglx@linutronix.de>
To: Justin Stitt <justinstitt@google.com>,
John Stultz <jstultz@google.com>, Stephen Boyd <sboyd@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Bill Wendling <morbo@google.com>
Cc: linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
linux-hardening@vger.kernel.org,
Justin Stitt <justinstitt@google.com>
Subject: Re: [PATCH v2] ntp: safeguard against time_constant overflow case
Date: Sat, 18 May 2024 04:33:43 +0200 [thread overview]
Message-ID: <87pltjj1bs.ffs@tglx> (raw)
In-Reply-To: <20240517-b4-sio-ntp-c-v2-1-f3a80096f36f@google.com>
Justin!
On Fri, May 17 2024 at 00:47, Justin Stitt wrote:
> if (txc->modes & ADJ_TIMECONST) {
> - time_constant = txc->constant;
> - if (!(time_status & STA_NANO))
> + if (!(time_status & STA_NANO) && time_constant < MAXTC)
> time_constant += 4;
> time_constant = min(time_constant, (long)MAXTC);
> time_constant = max(time_constant, 0l);
Let me digest this.
The original code does:
time_constant = txc->constant;
if (!(time_status & STA_NANO))
time_constant += 4;
time_constant = min(time_constant, (long)MAXTC);
time_constant = max(time_constant, 0l);
Your change results in:
if (!(time_status & STA_NANO) && time_constant < MAXTC)
time_constant += 4;
time_constant = min(time_constant, (long)MAXTC);
time_constant = max(time_constant, 0l);
IOW, you lost the intent of the code to assign the user space supplied
value of txc->constant.
Aside of that you clearly failed to map the deep analysis I provided to
you vs. the time_maxerror issue to this one:
# git grep 'time_constant.*=' kernel/time/
ntp.c:66:static long time_constant = 2;
That's the static initializer
kernel/time/ntp.c:736: time_constant = txc->constant;
kernel/time/ntp.c:738: time_constant += 4;
kernel/time/ntp.c:739: time_constant = min(time_constant, (long)MAXTC);
kernel/time/ntp.c:740: time_constant = max(time_constant, 0l);
That's the part of process_adjtimex_modes() you are trying to
"fix". So it's exactly the same problem as with time_maxerror, no?
And therefore you provide a "safeguard" against overflow for the price of
making the syscall disfunctional. Seriously?
Did you even try to run something else than the bad case reproducer
against your fix?
No. You did not. Any of the related real use case tests would have
failed.
I told you yesterday:
Tools are good to pin-point symptoms, but they are by definition
patently bad in root cause analysis. Otherwise we could just let the
tool write the "fix".
Such a tool would have at least produced a correct "fix" to cure the
symptom.
Thanks,
tglx
next prev parent reply other threads:[~2024-05-18 2:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 0:47 [PATCH v2] ntp: safeguard against time_constant overflow case Justin Stitt
2024-05-18 2:33 ` Thomas Gleixner [this message]
[not found] ` <CAFhGd8q_zgWj+up87k1ErYJAiTuvkoeiAZE066Nf5gRqf0Q9QQ@mail.gmail.com>
2024-05-19 11:31 ` Thomas Gleixner
2024-08-05 14:22 ` [tip: timers/urgent] ntp: Safeguard against time_constant overflow tip-bot2 for Justin Stitt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pltjj1bs.ffs@tglx \
--to=tglx@linutronix.de \
--cc=jstultz@google.com \
--cc=justinstitt@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=sboyd@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox