[src/netbsd-2]: src/sys/kern Fix build problem caused by ticket #10184.

[tron <tron%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/74d2074a1606
branches:  netbsd-2
changeset: 564361:74d2074a1606
user:      tron <tron%NetBSD.org@localhost>
date:      Tue Dec 06 16:52:19 2005 +0000

description:
Fix build problem caused by ticket #10184.

diffstat:

 sys/kern/kern_time.c |  26 ++++++++++++++++++++++++--
 1 files changed, 24 insertions(+), 2 deletions(-)

diffs (47 lines):

diff -r 9884ca948133 -r 74d2074a1606 sys/kern/kern_time.c
--- a/sys/kern/kern_time.c      Fri Dec 02 11:32:45 2005 +0000
+++ b/sys/kern/kern_time.c      Tue Dec 06 16:52:19 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_time.c,v 1.82 2004/03/14 01:08:47 cl Exp $        */
+/*     $NetBSD: kern_time.c,v 1.82.4.1 2005/12/06 16:52:19 tron Exp $  */
 
 /*-
  * Copyright (c) 2000 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.82 2004/03/14 01:08:47 cl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.82.4.1 2005/12/06 16:52:19 tron Exp $");
 
 #include "fs_nfs.h"
 #include "opt_nfs.h"
@@ -119,6 +119,28 @@
        struct cpu_info *ci;
        int s;
 
+       /*
+        * Don't allow the time to be set forward so far it will wrap
+        * and become negative, thus allowing an attacker to bypass
+        * the next check below.  The cutoff is 1 year before rollover
+        * occurs, so even if the attacker uses adjtime(2) to move
+        * the time past the cutoff, it will take a very long time
+        * to get to the wrap point.
+        *
+        * XXX: we check against INT_MAX since on 64-bit
+        *      platforms, sizeof(int) != sizeof(long) and
+        *      time_t is 32 bits even when atv.tv_sec is 64 bits.
+        */
+       if (tv->tv_sec > INT_MAX - 365*24*60*60) {
+               struct proc *p = curproc();
+               struct proc *pp = p->p_pptr;
+               log(LOG_WARNING, "pid %d (%s) "
+                   "invoked by uid %d ppid %d (%s) "
+                   "tried to set clock forward to %ld\n",
+                   p->p_pid, p->p_comm, pp->p_ucred->cr_uid,
+                   pp->p_pid, pp->p_comm, (long)tv->tv_sec);
+               return (EPERM);
+       }
        /* WHAT DO WE DO ABOUT PENDING REAL-TIME TIMEOUTS??? */
        s = splclock();
        timersub(tv, &time, &delta);