ntp: remove accidental integer wrap-around

Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report: [ 138.454979] ------------[ cut here ]------------ [ 138.458089] UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 [ 138.462134] 9223372036854775807 + 500 cannot be represented in type 'long' [ 138.466234] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0-rc2-00038-gc0a509640e93-dirty torvalds#10 [ 138.471498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 138.477110] Call Trace: [ 138.478657] <IRQ> [ 138.479964] dump_stack_lvl+0x93/0xd0 [ 138.482276] handle_overflow+0x171/0x1b0 [ 138.484699] second_overflow+0x2d6/0x500 [ 138.487133] accumulate_nsecs_to_secs+0x60/0x160 [ 138.489931] timekeeping_advance+0x1fe/0x890 [ 138.492535] update_wall_time+0x10/0x30 .. Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the kernel with Commit 557f8c5 ("ubsan: Reintroduce signed overflow sanitizer"). Let's introduce a new macro and use that against NTP_PHASE_LIMIT to properly limit the max size of time_maxerror without overflowing during the check itself. Link: llvm/llvm-project#82432 [1] Closes: KSPP#354 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com>
intel-lab-lkp · May 7, 2024 · 0b3a623 · 0b3a623
1 parent 0106679
commit 0b3a623
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/include/linux/timex.h b/include/linux/timex.h
@@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void);
 #define MINSEC 256		/* min interval between updates (s) */
 #define MAXSEC 2048		/* max interval between updates (s) */
 #define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max. dispersion */
+#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microseconds */
 
 /*
  * kernel variables

diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
@@ -454,12 +454,12 @@ int second_overflow(time64_t secs)
 	}
 
 
-	/* Bump the maxerror field */
-	time_maxerror += MAXFREQ / NSEC_PER_USEC;
-	if (time_maxerror > NTP_PHASE_LIMIT) {
+	/* Bump the maxerror field, making sure not to exceed NTP_PHASE_LIMIT */
+	if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) {
 		time_maxerror = NTP_PHASE_LIMIT;
 		time_status |= STA_UNSYNC;
-	}
+	} else
+		time_maxerror += NTP_MAXFREQ_USEC;
 
 	/* Compute the phase adjustment for the next second */
 	tick_length	 = tick_length_base;