* [PATCH 1/2] time: settimeofday: Validate the values of tv from user [not found] <1420654340-3009-1-git-send-email-john.stultz@linaro.org> @ 2015-01-07 18:12 ` John Stultz 2015-01-07 18:28 ` Greg KH 2015-01-07 18:12 ` [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values John Stultz 1 sibling, 1 reply; 9+ messages in thread From: John Stultz @ 2015-01-07 18:12 UTC (permalink / raw) To: lkml Cc: Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski, John Stultz From: Sasha Levin <sasha.levin@oracle.com> An unvalidated user input is multiplied by a constant, which can result in an undefined behaviour for large values. While this is validated later, we should avoid triggering undefined behaviour. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: stable <stable@vger.kernel.org> Cc: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> [jstultz: include trivial milisecond->microsecond correction noticed by Andy] Signed-off-by: John Stultz <john.stultz@linaro.org> --- include/linux/time.h | 13 +++++++++++++ kernel/time/time.c | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/include/linux/time.h b/include/linux/time.h index 8c42cf8..5989b0e 100644 --- a/include/linux/time.h +++ b/include/linux/time.h @@ -99,6 +99,19 @@ static inline bool timespec_valid_strict(const struct timespec *ts) return true; } +static inline bool timeval_valid(const struct timeval *tv) +{ + /* Dates before 1970 are bogus */ + if (tv->tv_sec < 0) + return false; + + /* Can't have more microseconds then a second */ + if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC) + return false; + + return true; +} + extern struct timespec timespec_trunc(struct timespec t, unsigned gran); #define CURRENT_TIME (current_kernel_time()) diff --git a/kernel/time/time.c b/kernel/time/time.c index a9ae20f..22d5d3b 100644 --- a/kernel/time/time.c +++ b/kernel/time/time.c @@ -196,6 +196,10 @@ SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv, if (tv) { if (copy_from_user(&user_tv, tv, sizeof(*tv))) return -EFAULT; + + if (!timeval_valid(&user_tv)) + return -EINVAL; + new_ts.tv_sec = user_tv.tv_sec; new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; } -- 1.9.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user 2015-01-07 18:12 ` [PATCH 1/2] time: settimeofday: Validate the values of tv from user John Stultz @ 2015-01-07 18:28 ` Greg KH 2015-01-07 19:02 ` John Stultz 0 siblings, 1 reply; 9+ messages in thread From: Greg KH @ 2015-01-07 18:28 UTC (permalink / raw) To: John Stultz Cc: lkml, Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote: > From: Sasha Levin <sasha.levin@oracle.com> > > An unvalidated user input is multiplied by a constant, which can result in > an undefined behaviour for large values. While this is validated later, > we should avoid triggering undefined behaviour. > > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@kernel.org> > Cc: stable <stable@vger.kernel.org> > Cc: Andy Lutomirski <luto@amacapital.net> > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > [jstultz: include trivial milisecond->microsecond correction noticed > by Andy] > Signed-off-by: John Stultz <john.stultz@linaro.org> > --- > include/linux/time.h | 13 +++++++++++++ > kernel/time/time.c | 4 ++++ > 2 files changed, 17 insertions(+) <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. </formletter> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user 2015-01-07 18:28 ` Greg KH @ 2015-01-07 19:02 ` John Stultz 2015-01-07 19:04 ` Sasha Levin 2015-01-07 19:09 ` Greg KH 0 siblings, 2 replies; 9+ messages in thread From: John Stultz @ 2015-01-07 19:02 UTC (permalink / raw) To: Greg KH Cc: lkml, Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote: > On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote: >> From: Sasha Levin <sasha.levin@oracle.com> >> >> An unvalidated user input is multiplied by a constant, which can result in >> an undefined behaviour for large values. While this is validated later, >> we should avoid triggering undefined behaviour. >> >> Cc: Thomas Gleixner <tglx@linutronix.de> >> Cc: Ingo Molnar <mingo@kernel.org> >> Cc: stable <stable@vger.kernel.org> >> Cc: Andy Lutomirski <luto@amacapital.net> >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> >> [jstultz: include trivial milisecond->microsecond correction noticed >> by Andy] >> Signed-off-by: John Stultz <john.stultz@linaro.org> >> --- >> include/linux/time.h | 13 +++++++++++++ >> kernel/time/time.c | 4 ++++ >> 2 files changed, 17 insertions(+) > > <formletter> > > This is not the correct way to submit patches for inclusion in the > stable kernel tree. Please read Documentation/stable_kernel_rules.txt > for how to do this properly. > > </formletter> Hrm. I'm not quite sure which rule I'm running afoul here. Does this seem too much like a theoretical issue and not like enough of a "oh, that's not good" issue? thanks -john ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user 2015-01-07 19:02 ` John Stultz @ 2015-01-07 19:04 ` Sasha Levin 2015-01-07 19:09 ` Greg KH 1 sibling, 0 replies; 9+ messages in thread From: Sasha Levin @ 2015-01-07 19:04 UTC (permalink / raw) To: John Stultz, Greg KH Cc: lkml, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski On 01/07/2015 02:02 PM, John Stultz wrote: > On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote: >> On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote: >>> From: Sasha Levin <sasha.levin@oracle.com> >>> >>> An unvalidated user input is multiplied by a constant, which can result in >>> an undefined behaviour for large values. While this is validated later, >>> we should avoid triggering undefined behaviour. >>> >>> Cc: Thomas Gleixner <tglx@linutronix.de> >>> Cc: Ingo Molnar <mingo@kernel.org> >>> Cc: stable <stable@vger.kernel.org> >>> Cc: Andy Lutomirski <luto@amacapital.net> >>> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> >>> [jstultz: include trivial milisecond->microsecond correction noticed >>> by Andy] >>> Signed-off-by: John Stultz <john.stultz@linaro.org> >>> --- >>> include/linux/time.h | 13 +++++++++++++ >>> kernel/time/time.c | 4 ++++ >>> 2 files changed, 17 insertions(+) >> >> <formletter> >> >> This is not the correct way to submit patches for inclusion in the >> stable kernel tree. Please read Documentation/stable_kernel_rules.txt >> for how to do this properly. >> >> </formletter> > > Hrm. I'm not quite sure which rule I'm running afoul here. > > Does this seem too much like a theoretical issue and not like enough > of a "oh, that's not good" issue? I suspect it's something more like "Cc: stable <stable@vger.kernel.org>" vs "Cc: stable@vger.kernel.org", but not really sure. Thanks, Sasha ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user 2015-01-07 19:02 ` John Stultz 2015-01-07 19:04 ` Sasha Levin @ 2015-01-07 19:09 ` Greg KH 1 sibling, 0 replies; 9+ messages in thread From: Greg KH @ 2015-01-07 19:09 UTC (permalink / raw) To: John Stultz Cc: lkml, Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski On Wed, Jan 07, 2015 at 11:02:01AM -0800, John Stultz wrote: > On Wed, Jan 7, 2015 at 10:28 AM, Greg KH <greg@kroah.com> wrote: > > On Wed, Jan 07, 2015 at 10:12:19AM -0800, John Stultz wrote: > >> From: Sasha Levin <sasha.levin@oracle.com> > >> > >> An unvalidated user input is multiplied by a constant, which can result in > >> an undefined behaviour for large values. While this is validated later, > >> we should avoid triggering undefined behaviour. > >> > >> Cc: Thomas Gleixner <tglx@linutronix.de> > >> Cc: Ingo Molnar <mingo@kernel.org> > >> Cc: stable <stable@vger.kernel.org> > >> Cc: Andy Lutomirski <luto@amacapital.net> > >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > >> [jstultz: include trivial milisecond->microsecond correction noticed > >> by Andy] > >> Signed-off-by: John Stultz <john.stultz@linaro.org> > >> --- > >> include/linux/time.h | 13 +++++++++++++ > >> kernel/time/time.c | 4 ++++ > >> 2 files changed, 17 insertions(+) > > > > <formletter> > > > > This is not the correct way to submit patches for inclusion in the > > stable kernel tree. Please read Documentation/stable_kernel_rules.txt > > for how to do this properly. > > > > </formletter> > > Hrm. I'm not quite sure which rule I'm running afoul here. > > Does this seem too much like a theoretical issue and not like enough > of a "oh, that's not good" issue? No, crap, my fault, I messed up on these, you are doing this just fine, I'm not awake this morning... /me goes off to get more coffee. greg k-h ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values [not found] <1420654340-3009-1-git-send-email-john.stultz@linaro.org> 2015-01-07 18:12 ` [PATCH 1/2] time: settimeofday: Validate the values of tv from user John Stultz @ 2015-01-07 18:12 ` John Stultz 2015-01-07 18:28 ` Greg KH 1 sibling, 1 reply; 9+ messages in thread From: John Stultz @ 2015-01-07 18:12 UTC (permalink / raw) To: lkml Cc: Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski, John Stultz From: Sasha Levin <sasha.levin@oracle.com> Verify that the frequency value from userspace is valid and makes sense. Unverified values can cause overflows later on. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: stable <stable@vger.kernel.org> Cc: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> [jstultz: Fix up bug for negative values and drop redunent cap check] Signed-off-by: John Stultz <john.stultz@linaro.org> --- kernel/time/ntp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index 87a346f..28bf91c 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -633,6 +633,13 @@ int ntp_validate_timex(struct timex *txc) if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) return -EPERM; + if (txc->modes & ADJ_FREQUENCY) { + if (LONG_MIN / PPM_SCALE > txc->freq) + return -EINVAL; + if (LONG_MAX / PPM_SCALE < txc->freq) + return -EINVAL; + } + return 0; } -- 1.9.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values 2015-01-07 18:12 ` [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values John Stultz @ 2015-01-07 18:28 ` Greg KH 0 siblings, 0 replies; 9+ messages in thread From: Greg KH @ 2015-01-07 18:28 UTC (permalink / raw) To: John Stultz Cc: lkml, Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, Andy Lutomirski On Wed, Jan 07, 2015 at 10:12:20AM -0800, John Stultz wrote: > From: Sasha Levin <sasha.levin@oracle.com> > > Verify that the frequency value from userspace is valid and makes sense. > > Unverified values can cause overflows later on. > > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@kernel.org> > Cc: stable <stable@vger.kernel.org> > Cc: Andy Lutomirski <luto@amacapital.net> > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > [jstultz: Fix up bug for negative values and drop redunent cap check] > Signed-off-by: John Stultz <john.stultz@linaro.org> > --- > kernel/time/ntp.c | 7 +++++++ > 1 file changed, 7 insertions(+) <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. </formletter> ^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <1420228268-2161-1-git-send-email-john.stultz@linaro.org>]
* [PATCH 1/2] time: settimeofday: Validate the values of tv from user [not found] <1420228268-2161-1-git-send-email-john.stultz@linaro.org> @ 2015-01-02 19:51 ` John Stultz 2015-01-03 4:06 ` Andy Lutomirski 0 siblings, 1 reply; 9+ messages in thread From: John Stultz @ 2015-01-02 19:51 UTC (permalink / raw) To: lkml; +Cc: Sasha Levin, Thomas Gleixner, Ingo Molnar, stable, John Stultz From: Sasha Levin <sasha.levin@oracle.com> An unvalidated user input is multiplied by a constant, which can result in an undefined behaviour for large values. While this is validated later, we should avoid triggering undefined behaviour. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: John Stultz <john.stultz@linaro.org> --- include/linux/time.h | 13 +++++++++++++ kernel/time/time.c | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/include/linux/time.h b/include/linux/time.h index 8c42cf8..7a10ec1 100644 --- a/include/linux/time.h +++ b/include/linux/time.h @@ -99,6 +99,19 @@ static inline bool timespec_valid_strict(const struct timespec *ts) return true; } +static inline bool timeval_valid(const struct timeval *tv) +{ + /* Dates before 1970 are bogus */ + if (tv->tv_sec < 0) + return false; + + /* Can't have more miliseconds then a second */ + if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC) + return false; + + return true; +} + extern struct timespec timespec_trunc(struct timespec t, unsigned gran); #define CURRENT_TIME (current_kernel_time()) diff --git a/kernel/time/time.c b/kernel/time/time.c index a9ae20f..22d5d3b 100644 --- a/kernel/time/time.c +++ b/kernel/time/time.c @@ -196,6 +196,10 @@ SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv, if (tv) { if (copy_from_user(&user_tv, tv, sizeof(*tv))) return -EFAULT; + + if (!timeval_valid(&user_tv)) + return -EINVAL; + new_ts.tv_sec = user_tv.tv_sec; new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; } -- 1.9.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] time: settimeofday: Validate the values of tv from user 2015-01-02 19:51 ` [PATCH 1/2] time: settimeofday: Validate the values of tv from user John Stultz @ 2015-01-03 4:06 ` Andy Lutomirski 0 siblings, 0 replies; 9+ messages in thread From: Andy Lutomirski @ 2015-01-03 4:06 UTC (permalink / raw) To: John Stultz, lkml; +Cc: Sasha Levin, Thomas Gleixner, Ingo Molnar, stable On 01/02/2015 11:51 AM, John Stultz wrote: > From: Sasha Levin <sasha.levin@oracle.com> > > An unvalidated user input is multiplied by a constant, which can result in > an undefined behaviour for large values. While this is validated later, > we should avoid triggering undefined behaviour. > > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@kernel.org> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > Signed-off-by: John Stultz <john.stultz@linaro.org> > --- > include/linux/time.h | 13 +++++++++++++ > kernel/time/time.c | 4 ++++ > 2 files changed, 17 insertions(+) > > diff --git a/include/linux/time.h b/include/linux/time.h > index 8c42cf8..7a10ec1 100644 > --- a/include/linux/time.h > +++ b/include/linux/time.h > @@ -99,6 +99,19 @@ static inline bool timespec_valid_strict(const struct timespec *ts) > return true; > } > > +static inline bool timeval_valid(const struct timeval *tv) > +{ > + /* Dates before 1970 are bogus */ > + if (tv->tv_sec < 0) > + return false; > + > + /* Can't have more miliseconds then a second */ Trivial nit: that should be "microseconds". --Andy > + if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC) > + return false; > + > + return true; > +} > + > extern struct timespec timespec_trunc(struct timespec t, unsigned gran); > > #define CURRENT_TIME (current_kernel_time()) > diff --git a/kernel/time/time.c b/kernel/time/time.c > index a9ae20f..22d5d3b 100644 > --- a/kernel/time/time.c > +++ b/kernel/time/time.c > @@ -196,6 +196,10 @@ SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv, > if (tv) { > if (copy_from_user(&user_tv, tv, sizeof(*tv))) > return -EFAULT; > + > + if (!timeval_valid(&user_tv)) > + return -EINVAL; > + > new_ts.tv_sec = user_tv.tv_sec; > new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; > } > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2015-01-07 19:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1420654340-3009-1-git-send-email-john.stultz@linaro.org>
2015-01-07 18:12 ` [PATCH 1/2] time: settimeofday: Validate the values of tv from user John Stultz
2015-01-07 18:28 ` Greg KH
2015-01-07 19:02 ` John Stultz
2015-01-07 19:04 ` Sasha Levin
2015-01-07 19:09 ` Greg KH
2015-01-07 18:12 ` [PATCH 2/2] time: adjtimex: Validate the ADJ_FREQUENCY values John Stultz
2015-01-07 18:28 ` Greg KH
[not found] <1420228268-2161-1-git-send-email-john.stultz@linaro.org>
2015-01-02 19:51 ` [PATCH 1/2] time: settimeofday: Validate the values of tv from user John Stultz
2015-01-03 4:06 ` Andy Lutomirski
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).