disallow clock_settime too far in the future to avoid panic

clock_ts_to_ct has a KASSERT that the converted year fits into four digits. By default (sysctl debug.allow_insane_settime is 0) the kernel disallows a time too far in the future, using a value of 9999 366-day years. However, clock_settime is epoch-relative and the assertion will fail with a tv_sec corresponding to some 8030 years. Avoid trying to be too clever, and just use a limit of 8000 365-day years past the epoch. Submitted by: Heqing Yan <scottieyan@gmail.com> Reported by: Syzkaller (https://github.com/google/syzkaller) MFC after: 1 week Sponsored by: The FreeBSD Foundation
2017-11-14 18:18:18 +00:00 · 2017-11-14 18:18:18 +00:00 · 81d606f52e
commit 81d606f52e
parent c52ef9bbff
1 changed files with 1 additions and 1 deletions
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@ -408,7 +408,7 @@ kern_clock_settime(struct thread *td, clockid_t clock_id, struct timespec *ats)
 	if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 ||
 	    ats->tv_sec < 0)
 		return (EINVAL);
-	if (!allow_insane_settime && ats->tv_sec > 9999ULL * 366 * 24 * 60 * 60)
+	if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60)
 		return (EINVAL);
 	/* XXX Don't convert nsec->usec and back */
 	TIMESPEC_TO_TIMEVAL(&atv, ats);