Re: [PATCH] ntp: remove accidental integer wrap-around
From: John Stultz
Date: Tue May 07 2024 - 01:54:54 EST
On Mon, May 6, 2024 at 9:34 PM Justin Stitt <justinstitt@xxxxxxxxxx> wrote:
> Let's introduce a new macro and use that against NTP_PHASE_LIMIT to
> properly limit the max size of time_maxerror without overflowing during
> the check itself.
>
> Link: https://github.com/llvm/llvm-project/pull/82432 [1]
> Closes: https://github.com/KSPP/linux/issues/354
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
> ---
> include/linux/timex.h | 1 +
> kernel/time/ntp.c | 8 ++++----
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/timex.h b/include/linux/timex.h
> index 3871b06bd302..976490a06915 100644
> --- a/include/linux/timex.h
> +++ b/include/linux/timex.h
> @@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void);
> #define MINSEC 256 /* min interval between updates (s) */
> #define MAXSEC 2048 /* max interval between updates (s) */
> #define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max. dispersion */
> +#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microseconds */
>
> /*
> * kernel variables
> diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
> index 406dccb79c2b..19027b6d0827 100644
> --- a/kernel/time/ntp.c
> +++ b/kernel/time/ntp.c
> @@ -454,12 +454,12 @@ int second_overflow(time64_t secs)
> }
>
>
> - /* Bump the maxerror field */
> - time_maxerror += MAXFREQ / NSEC_PER_USEC;
> - if (time_maxerror > NTP_PHASE_LIMIT) {
> + /* Bump the maxerror field, making sure not to exceed NTP_PHASE_LIMIT */
> + if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) {
> time_maxerror = NTP_PHASE_LIMIT;
> time_status |= STA_UNSYNC;
> - }
> + } else
> + time_maxerror += NTP_MAXFREQ_USEC;
>
> /* Compute the phase adjustment for the next second */
> tick_length = tick_length_base;
>
Looks reasonable to me.
Acked-by: John Stultz <jstultz@xxxxxxxxxx>
thanks
-john