Patch "[PATCH 109/135] time: Verify time values in adjtimex ADJ_SETOFFSET to" has been added to the 4.4-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "[PATCH 109/135] time: Verify time values in adjtimex ADJ_SETOFFSET to" has been added to the 4.4-stable tree
@ 2016-09-09 13:38 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-09-09 13:38 UTC (permalink / raw)
  To: john.stultz, alexander.levin, gregkh, richardcochran, sasha.levin,
	tglx
  Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    [PATCH 109/135] time: Verify time values in adjtimex ADJ_SETOFFSET to

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     0109-time-Verify-time-values-in-adjtimex-ADJ_SETOFFSET-to.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 2b189fe86b2820b583a80419ad3063b5f49fc007 Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Thu, 3 Dec 2015 22:09:31 -0500
Subject: [PATCH 109/135] time: Verify time values in adjtimex ADJ_SETOFFSET to
 avoid overflow

[ Upstream commit 37cf4dc3370fbca0344e23bb96446eb2c3548ba7 ]

For adjtimex()'s ADJ_SETOFFSET, make sure the tv_usec value is
sane. We might multiply them later which can cause an overflow
and undefined behavior.

This patch introduces new helper functions to simplify the
checking code and adds comments to clarify

Orginally this patch was by Sasha Levin, but I've basically
rewritten it, so he should get credit for finding the issue
and I should get the blame for any mistakes made since.

Also, credit to Richard Cochran for the phrasing used in the
comment for what is considered valid here.

Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/time.h      |   26 ++++++++++++++++++++++++++
 kernel/time/ntp.c         |   10 ++++++++--
 kernel/time/timekeeping.c |    2 +-
 3 files changed, 35 insertions(+), 3 deletions(-)

--- a/include/linux/time.h
+++ b/include/linux/time.h
@@ -125,6 +125,32 @@ static inline bool timeval_valid(const s
 
 extern struct timespec timespec_trunc(struct timespec t, unsigned gran);
 
+/*
+ * Validates if a timespec/timeval used to inject a time offset is valid.
+ * Offsets can be postive or negative. The value of the timeval/timespec
+ * is the sum of its fields, but *NOTE*: the field tv_usec/tv_nsec must
+ * always be non-negative.
+ */
+static inline bool timeval_inject_offset_valid(const struct timeval *tv)
+{
+	/* We don't check the tv_sec as it can be positive or negative */
+
+	/* Can't have more microseconds then a second */
+	if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC)
+		return false;
+	return true;
+}
+
+static inline bool timespec_inject_offset_valid(const struct timespec *ts)
+{
+	/* We don't check the tv_sec as it can be positive or negative */
+
+	/* Can't have more nanoseconds then a second */
+	if (ts->tv_nsec < 0 || ts->tv_nsec >= NSEC_PER_SEC)
+		return false;
+	return true;
+}
+
 #define CURRENT_TIME		(current_kernel_time())
 #define CURRENT_TIME_SEC	((struct timespec) { get_seconds(), 0 })
 
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -674,8 +674,14 @@ int ntp_validate_timex(struct timex *txc
 			return -EINVAL;
 	}
 
-	if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
-		return -EPERM;
+	if (txc->modes & ADJ_SETOFFSET) {
+		/* In order to inject time, you gotta be super-user! */
+		if (!capable(CAP_SYS_TIME))
+			return -EPERM;
+
+		if (!timeval_inject_offset_valid(&txc->time))
+			return -EINVAL;
+	}
 
 	/*
 	 * Check for potential multiplication overflows that can
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -958,7 +958,7 @@ int timekeeping_inject_offset(struct tim
 	struct timespec64 ts64, tmp;
 	int ret = 0;
 
-	if ((unsigned long)ts->tv_nsec >= NSEC_PER_SEC)
+	if (!timespec_inject_offset_valid(ts))
 		return -EINVAL;
 
 	ts64 = timespec_to_timespec64(*ts);


Patches currently in stable-queue which might be from john.stultz@linaro.org are

queue-4.4/0110-ntp-Fix-ADJ_SETOFFSET-being-used-w-ADJ_NANO.patch
queue-4.4/0109-time-Verify-time-values-in-adjtimex-ADJ_SETOFFSET-to.patch
queue-4.4/0118-clocksource-Allow-unregistering-the-watchdog.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-09-09 13:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-09 13:38 Patch "[PATCH 109/135] time: Verify time values in adjtimex ADJ_SETOFFSET to" has been added to the 4.4-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).