kernel/time/ntp.c: Possible off-by-one error in TAI range check?

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* kernel/time/ntp.c: Possible off-by-one error in TAI range check?
@ 2019-04-08  8:47 Ondrej Mosnacek
  2019-04-15  8:02 ` Ondrej Mosnacek
  0 siblings, 1 reply; 5+ messages in thread
From: Ondrej Mosnacek @ 2019-04-08  8:47 UTC (permalink / raw)
  To: Roman Zippel
  Cc: Thomas Gleixner, John Stultz, Stephen Boyd, Andrew Morton,
	Linux kernel mailing list

Hello,

while writing tests for clock adjustment auditing [1] [2], I stumbled
upon a strange behavior of adjtimex(2) when setting the TAI offset...

Commit 153b5d054ac2 ("ntp: support for TAI") added a possibility to
change the TAI offset from userspace via adjtimex(2). The code checks
if the input value (txc->constant) is greater than 0 and if it is not,
then it doesn't modify the value. Ignoring the fact that this check
should probably be in timekeeping_validate_timex() and cause -EINVAL
to be returned when false, I find it strange that the check doesn't
allow to set the value to 0, which seems to be the default value...

Was this behavior intended or should the code actually check for
txc->constant >= 0 instead of txc->constant > 0?

Thanks,

[1] https://github.com/linux-audit/audit-kernel/issues/10
[2] https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: kernel/time/ntp.c: Possible off-by-one error in TAI range check?
  2019-04-08  8:47 kernel/time/ntp.c: Possible off-by-one error in TAI range check? Ondrej Mosnacek
@ 2019-04-15  8:02 ` Ondrej Mosnacek
  2019-04-15  8:09   ` Thomas Gleixner
  0 siblings, 1 reply; 5+ messages in thread
From: Ondrej Mosnacek @ 2019-04-15  8:02 UTC (permalink / raw)
  To: Roman Zippel
  Cc: Thomas Gleixner, John Stultz, Stephen Boyd, Andrew Morton,
	Linux kernel mailing list

On Mon, Apr 8, 2019 at 10:47 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> Hello,
>
> while writing tests for clock adjustment auditing [1] [2], I stumbled
> upon a strange behavior of adjtimex(2) when setting the TAI offset...
>
> Commit 153b5d054ac2 ("ntp: support for TAI") added a possibility to
> change the TAI offset from userspace via adjtimex(2). The code checks
> if the input value (txc->constant) is greater than 0 and if it is not,
> then it doesn't modify the value. Ignoring the fact that this check
> should probably be in timekeeping_validate_timex() and cause -EINVAL
> to be returned when false, I find it strange that the check doesn't
> allow to set the value to 0, which seems to be the default value...
>
> Was this behavior intended or should the code actually check for
> txc->constant >= 0 instead of txc->constant > 0?

Ping?

>
> Thanks,
>
> [1] https://github.com/linux-audit/audit-kernel/issues/10
> [2] https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: kernel/time/ntp.c: Possible off-by-one error in TAI range check?
  2019-04-15  8:02 ` Ondrej Mosnacek
@ 2019-04-15  8:09   ` Thomas Gleixner
  2019-04-15  8:56     ` Miroslav Lichvar
  0 siblings, 1 reply; 5+ messages in thread
From: Thomas Gleixner @ 2019-04-15  8:09 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Roman Zippel, John Stultz, Stephen Boyd, Miroslav Lichvar,
	Andrew Morton, Linux kernel mailing list

On Mon, 15 Apr 2019, Ondrej Mosnacek wrote:

CC+ Miroslav

> On Mon, Apr 8, 2019 at 10:47 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > Hello,
> >
> > while writing tests for clock adjustment auditing [1] [2], I stumbled
> > upon a strange behavior of adjtimex(2) when setting the TAI offset...
> >
> > Commit 153b5d054ac2 ("ntp: support for TAI") added a possibility to
> > change the TAI offset from userspace via adjtimex(2). The code checks
> > if the input value (txc->constant) is greater than 0 and if it is not,
> > then it doesn't modify the value. Ignoring the fact that this check
> > should probably be in timekeeping_validate_timex() and cause -EINVAL
> > to be returned when false, I find it strange that the check doesn't
> > allow to set the value to 0, which seems to be the default value...
> >
> > Was this behavior intended or should the code actually check for
> > txc->constant >= 0 instead of txc->constant > 0?
> 
> Ping?
> 
> >
> > Thanks,
> >
> > [1] https://github.com/linux-audit/audit-kernel/issues/10
> > [2] https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditing-of-changes-to-system-clock
> >
> > --
> > Ondrej Mosnacek <omosnace at redhat dot com>
> > Software Engineer, Security Technologies
> > Red Hat, Inc.
> 
> -- 
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: kernel/time/ntp.c: Possible off-by-one error in TAI range check?
  2019-04-15  8:09   ` Thomas Gleixner
@ 2019-04-15  8:56     ` Miroslav Lichvar
  2019-04-16 19:59       ` Thomas Gleixner
  0 siblings, 1 reply; 5+ messages in thread
From: Miroslav Lichvar @ 2019-04-15  8:56 UTC (permalink / raw)
  To: Thomas Gleixner
  Cc: Ondrej Mosnacek, Roman Zippel, John Stultz, Stephen Boyd,
	Andrew Morton, Linux kernel mailing list

On Mon, Apr 15, 2019 at 10:09:43AM +0200, Thomas Gleixner wrote:
> > On Mon, Apr 8, 2019 at 10:47 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > Commit 153b5d054ac2 ("ntp: support for TAI") added a possibility to
> > > change the TAI offset from userspace via adjtimex(2). The code checks
> > > if the input value (txc->constant) is greater than 0 and if it is not,
> > > then it doesn't modify the value. Ignoring the fact that this check
> > > should probably be in timekeeping_validate_timex() and cause -EINVAL
> > > to be returned when false, I find it strange that the check doesn't
> > > allow to set the value to 0, which seems to be the default value...
> > >
> > > Was this behavior intended or should the code actually check for
> > > txc->constant >= 0 instead of txc->constant > 0?

I guess zero here means "unknown" and maybe the intention was to not
allow setting the offset to an unknown value once it has been set to a
valid value. The trouble is that after inserting a leap second the
offset may change from zero to one.

I think it should be changed to allow setting the offset to zero.

-- 
Miroslav Lichvar

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: kernel/time/ntp.c: Possible off-by-one error in TAI range check?
  2019-04-15  8:56     ` Miroslav Lichvar
@ 2019-04-16 19:59       ` Thomas Gleixner
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Gleixner @ 2019-04-16 19:59 UTC (permalink / raw)
  To: Miroslav Lichvar
  Cc: Ondrej Mosnacek, Roman Zippel, John Stultz, Stephen Boyd,
	Andrew Morton, Linux kernel mailing list

On Mon, 15 Apr 2019, Miroslav Lichvar wrote:
> On Mon, Apr 15, 2019 at 10:09:43AM +0200, Thomas Gleixner wrote:
> > > On Mon, Apr 8, 2019 at 10:47 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > > Commit 153b5d054ac2 ("ntp: support for TAI") added a possibility to
> > > > change the TAI offset from userspace via adjtimex(2). The code checks
> > > > if the input value (txc->constant) is greater than 0 and if it is not,
> > > > then it doesn't modify the value. Ignoring the fact that this check
> > > > should probably be in timekeeping_validate_timex() and cause -EINVAL
> > > > to be returned when false, I find it strange that the check doesn't
> > > > allow to set the value to 0, which seems to be the default value...
> > > >
> > > > Was this behavior intended or should the code actually check for
> > > > txc->constant >= 0 instead of txc->constant > 0?
> 
> I guess zero here means "unknown" and maybe the intention was to not
> allow setting the offset to an unknown value once it has been set to a
> valid value. The trouble is that after inserting a leap second the
> offset may change from zero to one.
> 
> I think it should be changed to allow setting the offset to zero.

Can someone please send a patch with a coherent changelog?

Thanks,

	tglx

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-04-16 19:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-08  8:47 kernel/time/ntp.c: Possible off-by-one error in TAI range check? Ondrej Mosnacek
2019-04-15  8:02 ` Ondrej Mosnacek
2019-04-15  8:09   ` Thomas Gleixner
2019-04-15  8:56     ` Miroslav Lichvar
2019-04-16 19:59       ` Thomas Gleixner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).