From owner-freebsd-bugs@freebsd.org Tue Nov 8 12:07:39 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8208FC34E6B for ; Tue, 8 Nov 2016 12:07:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 69132863 for ; Tue, 8 Nov 2016 12:07:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uA8C7b6m029048 for ; Tue, 8 Nov 2016 12:07:39 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 214300] Integer truncation issues lead to out-of-bounds kernel reads and panics in clock_settime(). Date: Tue, 08 Nov 2016 12:07:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kib@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc rep_platform Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2016 12:07:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214300 Konstantin Belousov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kib@FreeBSD.org Hardware|amd64 |Any --- Comment #1 from Konstantin Belousov --- The real problem is that clock_ts_to_ct() does not return an error, which m= eans that an update to the function which returns error sometimes requires simil= ar update to all two dozens of callers, including rare platforms. There are more problems, e.g. typical RTC year register only has three or f= our bcd digits, so that values cannot be stored, but we currently do not check = for that. Due to algorithm of clock_ts_to_ct(), insanely large values would be handled quite long, with the type of local vars fixed. IMO fixing all the issues is relatively large work for almost no benefit. I propose, instead, to limit the range of valid setclock(2) values, by e.g. coarse approximating four bcd digits in the year value. Also, since you already diagnosed and noted it, change the type of the year and days variab= les in clock_ts_to_ct(). I put a sysctl to allow experimentation. --=20 You are receiving this mail because: You are the assignee for the bug.=