[PATCH] ntp: remove accidental integer wrap-around

From: Justin Stitt
Date: Tue May 07 2024 - 00:34:26 EST


Using syzkaller alongside the newly reintroduced signed integer overflow
sanitizer spits out this report:

[ 138.454979] ------------[ cut here ]------------
[ 138.458089] UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16
[ 138.462134] 9223372036854775807 + 500 cannot be represented in type 'long'
[ 138.466234] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0-rc2-00038-gc0a509640e93-dirty #10
[ 138.471498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 138.477110] Call Trace:
[ 138.478657] <IRQ>
[ 138.479964] dump_stack_lvl+0x93/0xd0
[ 138.482276] handle_overflow+0x171/0x1b0
[ 138.484699] second_overflow+0x2d6/0x500
[ 138.487133] accumulate_nsecs_to_secs+0x60/0x160
[ 138.489931] timekeeping_advance+0x1fe/0x890
[ 138.492535] update_wall_time+0x10/0x30
..

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's introduce a new macro and use that against NTP_PHASE_LIMIT to
properly limit the max size of time_maxerror without overflowing during
the check itself.

Link: https://github.com/llvm/llvm-project/pull/82432 [1]
Closes: https://github.com/KSPP/linux/issues/354
Cc: linux-hardening@xxxxxxxxxxxxxxx
Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
---
include/linux/timex.h | 1 +
kernel/time/ntp.c | 8 ++++----
2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/timex.h b/include/linux/timex.h
index 3871b06bd302..976490a06915 100644
--- a/include/linux/timex.h
+++ b/include/linux/timex.h
@@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void);
#define MINSEC 256 /* min interval between updates (s) */
#define MAXSEC 2048 /* max interval between updates (s) */
#define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max. dispersion */
+#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microseconds */

/*
* kernel variables
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 406dccb79c2b..19027b6d0827 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -454,12 +454,12 @@ int second_overflow(time64_t secs)
}


- /* Bump the maxerror field */
- time_maxerror += MAXFREQ / NSEC_PER_USEC;
- if (time_maxerror > NTP_PHASE_LIMIT) {
+ /* Bump the maxerror field, making sure not to exceed NTP_PHASE_LIMIT */
+ if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) {
time_maxerror = NTP_PHASE_LIMIT;
time_status |= STA_UNSYNC;
- }
+ } else
+ time_maxerror += NTP_MAXFREQ_USEC;

/* Compute the phase adjustment for the next second */
tick_length = tick_length_base;

---
base-commit: 0106679839f7c69632b3b9833c3268c316c0a9fc
change-id: 20240507-b4-sio-ntp-usec-1a3ab67bdce1

Best regards,
--
Justin Stitt <justinstitt@xxxxxxxxxx>