Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-29 Thread Thomas Gleixner
On Mon, May 27 2024 at 10:26, Miroslav Lichvar wrote: > On Fri, May 24, 2024 at 02:44:19PM +0200, Thomas Gleixner wrote: >> On Fri, May 24 2024 at 14:09, Thomas Gleixner wrote: >> > So instead of turning the clock back, we might be better off to actually >> > put the normalization in place at the a

Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-27 Thread Miroslav Lichvar
On Fri, May 24, 2024 at 02:44:19PM +0200, Thomas Gleixner wrote: > On Fri, May 24 2024 at 14:09, Thomas Gleixner wrote: > > So instead of turning the clock back, we might be better off to actually > > put the normalization in place at the assignment: > > > > time_maxerror = min(max(0, txc->maxe

Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-24 Thread Thomas Gleixner
Justin! On Fri, May 24 2024 at 15:43, Justin Stitt wrote: > I appreciate you reviewing my patches. You're welcome! > On Fri, May 24, 2024 at 5:09 AM Thomas Gleixner wrote: >> So instead of turning the clock back, we might be better off to actually >> put the normalization in place at the assign

Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-24 Thread Justin Stitt
Thomas, I appreciate you reviewing my patches. On Fri, May 24, 2024 at 5:09 AM Thomas Gleixner wrote: > > On Fri, May 17 2024 at 20:22, Justin Stitt wrote: > > time_maxerror is unconditionally incremented and the result is checked > > against NTP_PHASE_LIMIT, but the increment itself can overflo

Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-24 Thread Thomas Gleixner
On Fri, May 24 2024 at 14:09, Thomas Gleixner wrote: > On Fri, May 17 2024 at 20:22, Justin Stitt wrote: > I dug into history to find a Fixes tag. That unearthed something > interesting. Exactly this check used to be there until commit > eea83d896e31 ("ntp: NTP4 user space bits update") which land

Re: [PATCH v2] ntp: remove accidental integer wrap-around

2024-05-24 Thread Thomas Gleixner
On Fri, May 17 2024 at 20:22, Justin Stitt wrote: > time_maxerror is unconditionally incremented and the result is checked > against NTP_PHASE_LIMIT, but the increment itself can overflow, > resulting in wrap-around to negative space. > > The user can supply some crazy values which is causing the o

[PATCH v2] ntp: remove accidental integer wrap-around

2024-05-17 Thread Justin Stitt
Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 9223372036854775807 + 500 cannot be represented in type 'long' Call Trace: dump_stack_lvl+0x93/0xd0 handle_overflow+0x171/0x1b