Preventing 32-bit time_t overflow

From: Miroslav Lichvar
Date: Thu Apr 09 2015 - 12:46:09 EST

Next message: Linus Torvalds: "Re: [PATCH 2/2] locking/rwsem: Use a return variable in rwsem_spin_on_owner()"
Previous message: Dmitry Torokhov: "Re: [PATCH 2/2] Input: atmel_mxt_ts - allow specifying device-specific configs"
Next in thread: John Stultz: "Re: Preventing 32-bit time_t overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I did a test to see what happens on a system when 32-bit time_t
overflows. While the kernel seems to continue running without big
problems and it's possible to set the clock back to a time before the
overflow, some applications are not so good, they are burning CPU, the
system log is getting filled, it looks like an admin's nightmare.

I'm not sure how many of them are bugs in math with time_t and how
many are due to unexpected results from system calls like setting
timers with the ABSTIME flag to time before 1970, but I think it would
be pretty unrealistic to expect all applications to be able to handle
all the problems that can happen when time_t overflows or is close to
the overflow.

The trouble is this can be exploited with unauthenticated NTP or PTP.
With a spoofed reply the clock can be set close to the overflow. Some
NTP/PTP implementations don't allow (large) steps after the initial
synchronization, so a system that's already running with good time
might be safe, but there are some implementations where the clock can
be set to any value at any time. Also, a lot of people are running
ntpdate or similar from cron.

I'm wondering if this is something that would make sense to address
in the kernel, at least for now.

I was thinking about reserving an interval (e.g. month or year) before
the overflow where the time would be considered invalid and the clock
couldn't be set to it. In the time accumulation would be a check
if the time is still valid and if not, the clock would be set back by
day, month or year as if adjtimex(ADJ_SETOFFSET) was called, so the
overflow never actually happens and there is always some room for
calculations around current time. It could be configurable, to allow
people to test the kernel and applications for the overflow.

What do you think?

--
Miroslav Lichvar
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: [PATCH 2/2] locking/rwsem: Use a return variable in rwsem_spin_on_owner()"
Previous message: Dmitry Torokhov: "Re: [PATCH 2/2] Input: atmel_mxt_ts - allow specifying device-specific configs"
Next in thread: John Stultz: "Re: Preventing 32-bit time_t overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]