From 81d606f52e214621ca24eba9789fe1cd99d5f189 Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Tue, 14 Nov 2017 18:18:18 +0000 Subject: [PATCH] disallow clock_settime too far in the future to avoid panic clock_ts_to_ct has a KASSERT that the converted year fits into four digits. By default (sysctl debug.allow_insane_settime is 0) the kernel disallows a time too far in the future, using a value of 9999 366-day years. However, clock_settime is epoch-relative and the assertion will fail with a tv_sec corresponding to some 8030 years. Avoid trying to be too clever, and just use a limit of 8000 365-day years past the epoch. Submitted by: Heqing Yan Reported by: Syzkaller (https://github.com/google/syzkaller) MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sys/kern/kern_time.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 92672438253..1fe53e2819b 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -408,7 +408,7 @@ kern_clock_settime(struct thread *td, clockid_t clock_id, struct timespec *ats) if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 || ats->tv_sec < 0) return (EINVAL); - if (!allow_insane_settime && ats->tv_sec > 9999ULL * 366 * 24 * 60 * 60) + if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60) return (EINVAL); /* XXX Don't convert nsec->usec and back */ TIMESPEC_TO_TIMEVAL(&atv, ats);