On Mon, May 6, 2024 at 9:34 PM Justin Stitt <justinst...@google.com> wrote: > Let's introduce a new macro and use that against NTP_PHASE_LIMIT to > properly limit the max size of time_maxerror without overflowing during > the check itself. > > Link: https://github.com/llvm/llvm-project/pull/82432 [1] > Closes: https://github.com/KSPP/linux/issues/354 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinst...@google.com> > --- > include/linux/timex.h | 1 + > kernel/time/ntp.c | 8 ++++---- > 2 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/include/linux/timex.h b/include/linux/timex.h > index 3871b06bd302..976490a06915 100644 > --- a/include/linux/timex.h > +++ b/include/linux/timex.h > @@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void); > #define MINSEC 256 /* min interval between updates (s) */ > #define MAXSEC 2048 /* max interval between updates (s) */ > #define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max. > dispersion */ > +#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microseconds > */ > > /* > * kernel variables > diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c > index 406dccb79c2b..19027b6d0827 100644 > --- a/kernel/time/ntp.c > +++ b/kernel/time/ntp.c > @@ -454,12 +454,12 @@ int second_overflow(time64_t secs) > } > > > - /* Bump the maxerror field */ > - time_maxerror += MAXFREQ / NSEC_PER_USEC; > - if (time_maxerror > NTP_PHASE_LIMIT) { > + /* Bump the maxerror field, making sure not to exceed NTP_PHASE_LIMIT > */ > + if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) { > time_maxerror = NTP_PHASE_LIMIT; > time_status |= STA_UNSYNC; > - } > + } else > + time_maxerror += NTP_MAXFREQ_USEC; > > /* Compute the phase adjustment for the next second */ > tick_length = tick_length_base; >
Looks reasonable to me. Acked-by: John Stultz <jstu...@google.com> thanks -john
