[PATCH] time: Validate the usec before covert to nsec in do_adjtimex

[PATCH] time: Validate the usec before covert to nsec in do_adjtimex

[ZhangXiaoxu]

When covert the usec to nsec, it will multiple 1000, it maybe
overflow and lead an undefined behavior.

For example, users may input an negative tv_usec values when
call adjtimex syscall, then multiple 1000 maybe overflow it
to a positive and legal number.

So, we should validate the usec before coverted it to nsec.

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
---
 kernel/time/timekeeping.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 44b726b..e5c1d00 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1272,9 +1272,6 @@ static int timekeeping_inject_offset(const struct timespec64 *ts)
 	struct timespec64 tmp;
 	int ret = 0;
 
-	if (ts->tv_nsec < 0 || ts->tv_nsec >= NSEC_PER_SEC)
-		return -EINVAL;
-
 	raw_spin_lock_irqsave(&timekeeper_lock, flags);
 	write_seqcount_begin(&tk_core.seq);
 
@@ -2321,6 +2318,9 @@ int do_adjtimex(struct __kernel_timex *txc)
 
 	if (txc->modes & ADJ_SETOFFSET) {
 		struct timespec64 delta;
+
+		if (txc->time.tv_usec < 0 || txc->time.tv_usec >= USEC_PER_SEC)
+			return -EINVAL;
 		delta.tv_sec  = txc->time.tv_sec;
 		delta.tv_nsec = txc->time.tv_usec;
 		if (!(txc->modes & ADJ_NANO))
-- 
2.7.4

Re: [PATCH] time: Validate the usec before covert to nsec in do_adjtimex

[Thomas Gleixner]

On Mon, 8 Jul 2019, ZhangXiaoxu wrote:

> When covert the usec to nsec, it will multiple 1000, it maybe
> overflow and lead an undefined behavior.
> 
> For example, users may input an negative tv_usec values when
> call adjtimex syscall, then multiple 1000 maybe overflow it
> to a positive and legal number.
> 
> So, we should validate the usec before coverted it to nsec.

That's correct, but the actuall inject function wants to keep the sanity
check,

Thanks,

	tglx

Re: [PATCH] time: Validate the usec before covert to nsec in do_adjtimex

[zhangxiaoxu (A)]

在 2019/7/8 17:24, Thomas Gleixner 写道:
> On Mon, 8 Jul 2019, ZhangXiaoxu wrote:
> 
>> When covert the usec to nsec, it will multiple 1000, it maybe
>> overflow and lead an undefined behavior.
>>
>> For example, users may input an negative tv_usec values when
>> call adjtimex syscall, then multiple 1000 maybe overflow it
>> to a positive and legal number.
>>
>> So, we should validate the usec before coverted it to nsec.
> 
> That's correct, but the actuall inject function wants to keep the sanity
> check,
timekeeping_inject_offset is called only by timekeeping_warp_clock and do_adjtimex.
The do_adjtimex already validate it, and timekeeping_warp_clock is set tv_nsec=0.
We keep the sanity check is for some other maybe use this function?
I had send a v2 to keep the sanity check in timekeeping_inject_offset.

Thanks.
> 
> Thanks,
> 
> 	tglx
> 
> .
> 

Re: [PATCH] time: Validate the usec before covert to nsec in do_adjtimex

[Richard Cochran]

On Mon, Jul 08, 2019 at 03:55:04PM +0800, ZhangXiaoxu wrote:
> When covert the usec to nsec, it will multiple 1000, it maybe
> overflow and lead an undefined behavior.
> 
> For example, users may input an negative tv_usec values when
> call adjtimex syscall, then multiple 1000 maybe overflow it
> to a positive and legal number.
> 
> So, we should validate the usec before coverted it to nsec.
> 
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
> ---
>  kernel/time/timekeeping.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> index 44b726b..e5c1d00 100644
> --- a/kernel/time/timekeeping.c
> +++ b/kernel/time/timekeeping.c
> @@ -1272,9 +1272,6 @@ static int timekeeping_inject_offset(const struct timespec64 *ts)
>  	struct timespec64 tmp;
>  	int ret = 0;
>  
> -	if (ts->tv_nsec < 0 || ts->tv_nsec >= NSEC_PER_SEC)
> -		return -EINVAL;
> -
>  	raw_spin_lock_irqsave(&timekeeper_lock, flags);
>  	write_seqcount_begin(&tk_core.seq);
>  
> @@ -2321,6 +2318,9 @@ int do_adjtimex(struct __kernel_timex *txc)
>  
>  	if (txc->modes & ADJ_SETOFFSET) {
>  		struct timespec64 delta;
> +
> +		if (txc->time.tv_usec < 0 || txc->time.tv_usec >= USEC_PER_SEC)
> +			return -EINVAL;

This test is wrong.  If the tv_usec field is in nanoseconds, then the
value can easily be greater than USEC_PER_SEC.

>  		delta.tv_sec  = txc->time.tv_sec;
>  		delta.tv_nsec = txc->time.tv_usec;
>  		if (!(txc->modes & ADJ_NANO))
> -- 
> 2.7.4
> 

Thanks,
Richard