Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp801937lqo; Fri, 17 May 2024 01:49:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU60R8tnpprXK9lVEzNt9slYSagpcSo2u9m3B6EXXXxvaScGAphaXYA9N4raOA79ISCYSrUGMSD4Snj8RFViPrgRLfiYMoMmRrTFL3s9Q== X-Google-Smtp-Source: AGHT+IHMXo0OtJchVlHQFXsqyiMhW8MUmj0LMA3rvXcVxOs6O35zSSg3prUGXXZeOjm0InOhfUWm X-Received: by 2002:a05:6870:5246:b0:23d:3b59:6ba4 with SMTP id 586e51a60fabf-24172c33c07mr22293273fac.32.1715935789547; Fri, 17 May 2024 01:49:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715935789; cv=pass; d=google.com; s=arc-20160816; b=E1WuOy9SFSO0eWHM7u1X01KghzwK7ZubDzoDW81nklUCSl966XvwIlTh51ZsgFzH7K 0X2PRMY6xjO8vFkpo0/4MjshaUBa20lwZAnOJNLaTsiFNxXWZhY0uYDilpDREE17hyQ7 khXQE3FdNlrr2SUfpOrLmA+wM5En6Qhi9qTqsO6abK8JkJsp9qLQ/9ZKg6kes1Uj3Id3 4xUBC76QhM0SW1IFQuHS6eyuSIP+FMiKqwyqpPPYgM07zyOTBEDBTfGwuJP6jjDki/P1 D6wAs8CPMsr2Y4gLhMbfR35aUoiZh97K3a2W55x/sQBrR3uVwyaeEDD1M94+JxgJP+Z5 z/qQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:dkim-signature:from; bh=Deoi2GZ+KDWE4R9eV3dkdUKvxWuoHOIQHWloV/mCKL4=; fh=3EP0pNvr7fePuzznUvNEvS1hwI4HWymsxuc6ff2fwzg=; b=l/nTszEHhfh5cB+C3uQp6h0br0ZYSgDVtyEO8eUSq/9/qTwaNmPH7iNJQ5MUFv+GY3 /bW/QhozC6+z+fqQeWlC0nTzrZpczVKz+EHqImYN+VaJMnDNSbr3ipcjej6+CDUuTexq mKgW9ATcKBFAVToYfCdG4X8VecIl3+YHLGt8r/KM/6z22/N5+mDW1kM7620eam804PZb EYfTxCXF80UEl/2va4pjM5L/FOfvjdQSdpkA55kLgn5hGZLWnXuQRpN/1eg+QLKfF2Nh HBNVW8nFv+MT03NlM/XCyMr1TEFgS2GBz3rYpBtYcI7kgB1qanwp/IcLdeclG46urclN h6Ww==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4aNoSl0x; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-181879-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181879-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d2e1a72fcca58-6f4f39aa750si12580700b3a.369.2024.05.17.01.49.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 01:49:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-181879-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4aNoSl0x; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-181879-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181879-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 272F2282245 for ; Fri, 17 May 2024 08:49:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B78617C69; Fri, 17 May 2024 08:49:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="4aNoSl0x"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="87ZEWj6b" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F306C1EB25; Fri, 17 May 2024 08:49:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715935783; cv=none; b=usHSHjtP/gxKXlFr65LbPHSS319fpdjxQfn+NtoQn9jr4l9WsKc2LPjCQwIDfeUPv2GksnX7UNxl4XdP4NZlAIXmnnYiqfjeY3qpjhJzeYN/Pflweg9CBUGjVwZdFCyW6WEEeiumxncJWXC2NTxrXCKi/YAEmh+gPXwzIjsJmlA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715935783; c=relaxed/simple; bh=bHB9Jyod00NwPI/ne8odhL2AXmhmNsER6T4TKlS22BE=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=rUhNZ+wpTj2Du0o5wNLN1OCyuPJ3Uhj8NhrGs813gcO/UapHlYBMoHBuqgLlsiP/qVTwIjUjq/EGq0vnZaJb2ygNA0AQZZrh+I10eFMr5Cw7gwH+WGDGTpXZXBIRFoJGm42JWOx6zgo1zDsZUzKaPlLJLLNQ+pE86br5c319FTI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=4aNoSl0x; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=87ZEWj6b; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1715935780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Deoi2GZ+KDWE4R9eV3dkdUKvxWuoHOIQHWloV/mCKL4=; b=4aNoSl0xm0exphB7zLPX4O07pTlF7cp+mBPwN/zAxbZqJIbC8lckN9/vs4IsFyD6ldzLUw B64g3UhkXU6++iwIRip4SIjXYXfCs1tfb79f/rYZ/Fq+86OjpcKn9ZeBYsrejidJO65BvK ruNAVnKvaRVQ6K6Usqq8hZcknyXlWPpV6E3zMQ+gTdMl8LrIIlrikycUB3RePTyy6nIF8I kLkBqA3mM5tDWWCPzvj2CEBFr+KecCpbH9giWbljmgZMDazagn7l8VNN77q8bBcAPrrdHN hDX5pqzl29PQEwBkZGoS3BENzfz2K/xZxVQUZUT4y4uBpD8savGmdFX41l6oKw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1715935780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Deoi2GZ+KDWE4R9eV3dkdUKvxWuoHOIQHWloV/mCKL4=; b=87ZEWj6b2Wq4yvgsK9yoA17pwUSQUTuSHPGEib5DWhmlaRGQG+Gm6gWqR+2hCtuVF+0TZZ UYNvqs88L5fWLKBw== To: Justin Stitt Cc: John Stultz , Stephen Boyd , Nathan Chancellor , Bill Wendling , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: Re: [PATCH] ntp: remove accidental integer wrap-around In-Reply-To: References: <20240507-b4-sio-ntp-usec-v1-1-15003fc9c2b4@google.com> <87v83gllv8.ffs@tglx> Date: Fri, 17 May 2024 10:49:39 +0200 Message-ID: <87ttiwkel8.ffs@tglx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu, May 16 2024 at 16:40, Justin Stitt wrote: > On Tue, May 14, 2024 at 3:38=E2=80=AFAM Thomas Gleixner wrote: >> So how can 0xf42400 + 500000/1000 overflow in the first place? >> >> It can't unless time_maxerror is somehow initialized to a bogus >> value and indeed it is: >> >> process_adjtimex_modes() >> .... >> if (txc->modes & ADJ_MAXERROR) >> time_maxerror =3D txc->maxerror; >> >> So that wants to be fixed and not the symptom. > > Isn't this usually supplied from the user and can be some pretty > random stuff? Sure it comes from user space and can contain random nonsense as syzkaller demonstrated. > Are you suggesting we update timekeeping_validate_timex() to include a > check to limit the maxerror field to (NTP_PHASE_LIMIT-(MAXFREQ / > NSEC_PER_USEC))? It seems like we should handle the overflow case > where it happens: in second_overflow(). > > The clear intent of the existing code was to saturate at > NTP_PHASE_LIMIT, they just did it in a way where the check itself > triggers overflow sanitizers. The clear intent of the code is to do saturation of a bound value. Clearly the user space interface fails to validate the input to be in a sane range and that makes you go and prevent the resulting overflow at the usage site. Seriously? Obviously the sanitizer detects the stupid in second_overflow(), but that does not mean that the proper solution is to add overflow protection to that code. Tools are good to pin-point symptoms, but they are by definition patently bad in root cause analysis. Otherwise we could just let the tool write the "fix". The obvious first question in such a case is to ask _WHY_ does time_maxerror have a bogus value, which clearly cannot be achieved from regular operation. Once you figured out that the only way to set time_maxerror to a bogus value is the user space interface the obvious follow up question is whether such a value has to be considered as valid or not. As it is obviously invalid the logical consequence is to add a sanity check and reject that nonsense at that boundary, no? Thanks, tglx