[Bug 214300] Integer truncation issues lead to out-of-bounds kernel reads and panics in clock_settime().

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214300

Konstantin Belousov <kib at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kib at FreeBSD.org
           Hardware|amd64                       |Any

--- Comment #1 from Konstantin Belousov <kib at FreeBSD.org> ---
The real problem is that clock_ts_to_ct() does not return an error, which means
that an update to the function which returns error sometimes requires similar
update to all two dozens of callers, including rare platforms.

There are more problems, e.g. typical RTC year register only has three or four
bcd digits, so that values cannot be stored, but we currently do not check for
that.

Due to algorithm of clock_ts_to_ct(), insanely large values would be handled
quite long, with the type of local vars fixed.

IMO fixing all the issues is relatively large work for almost no benefit.  I
propose, instead, to limit the range of valid setclock(2) values, by e.g.
coarse approximating four bcd digits in the year value.  Also, since you
already diagnosed and noted it, change the type of the year and days variables
in clock_ts_to_ct().  I put a sysctl to allow experimentation.

-- 
You are receiving this mail because:
You are the assignee for the bug.