adjtime(2), settimeofday(2), clock_settime(2): validate input

Add documentation for the new EINVAL cases for adjtime(2) and
settimeofday(2).

adjtime.2 docs ok schwarze@,
settimeofday(2)/clock_settime(2) stuff ok tedu@,
"stop waiting" deraadt@

3 files changed, 23 insertions, 7 deletions

diff --git a/lib/libc/sys/adjtime.2 b/lib/libc/sys/adjtime.2
index ce638760c5b..91d0370025c 100644
--- a/lib/libc/sys/adjtime.2
+++ b/lib/libc/sys/adjtime.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: adjtime.2,v 1.22 2015/09/10 17:55:21 schwarze Exp $
+.\"	$OpenBSD: adjtime.2,v 1.23 2019/01/18 05:03:42 cheloha Exp $
 .\"	$NetBSD: adjtime.2,v 1.5 1995/10/12 15:40:44 jtc Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)adjtime.2	8.1 (Berkeley) 6/4/93
 .\"
-.Dd $Mdocdate: September 10 2015 $
+.Dd $Mdocdate: January 18 2019 $
 .Dt ADJTIME 2
 .Os
 .Sh NAME
@@ -87,9 +87,14 @@ will fail if:
 .Bl -tag -width Er
 .It Bq Er EFAULT
 Either of the arguments point outside the process's allocated address space.
+.It Bq Er EINVAL
+The
+.Fa delta
+argument is non-null and specifies a microsecond value less than zero or
+greater than or equal to 1 million.
 .It Bq Er EPERM
 The
-.Fn delta
+.Fa delta
 argument is non-null and the process's effective user ID is not that
 of the superuser.
 .El
diff --git a/lib/libc/sys/gettimeofday.2 b/lib/libc/sys/gettimeofday.2
index 81b27561e23..3f32e7b6fbf 100644
--- a/lib/libc/sys/gettimeofday.2
+++ b/lib/libc/sys/gettimeofday.2
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: gettimeofday.2,v 1.29 2015/09/10 17:55:21 schwarze Exp $
+.\"	$OpenBSD: gettimeofday.2,v 1.30 2019/01/18 05:03:42 cheloha Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)gettimeofday.2	8.2 (Berkeley) 5/26/95
 .\"
-.Dd $Mdocdate: September 10 2015 $
+.Dd $Mdocdate: January 18 2019 $
 .Dt GETTIMEOFDAY 2
 .Os
 .Sh NAME
@@ -118,8 +118,12 @@ An argument address referenced invalid memory.
 .Pp
 In addition,
 .Fn settimeofday
-may return the following error:
+may return the following errors:
 .Bl -tag -width Er
+.It Bq Er EINVAL
+.Fa tp
+specified a microsecond value less than zero or greater than or equal to
+1 million.
 .It Bq Er EPERM
 A user other than the superuser attempted to set the time.
 .El
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 1dce61217ce..6ca3c157698 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_time.c,v 1.106 2019/01/10 17:54:11 cheloha Exp $	*/
+/*	$OpenBSD: kern_time.c,v 1.107 2019/01/18 05:03:42 cheloha Exp $	*/
 /*	$NetBSD: kern_time.c,v 1.20 1996/02/18 11:57:06 fvdl Exp $	*/
 
 /*
@@ -196,6 +196,8 @@ sys_clock_settime(struct proc *p, void *v, register_t *retval)
 	clock_id = SCARG(uap, clock_id);
 	switch (clock_id) {
 	case CLOCK_REALTIME:
+		if (ats.tv_nsec < 0 || ats.tv_nsec >= 1000000000)
+			return (EINVAL);
 		if ((error = settime(&ats)) != 0)
 			return (error);
 		break;
@@ -380,6 +382,8 @@ sys_settimeofday(struct proc *p, void *v, register_t *retval)
 	if (tv) {
 		struct timespec ts;
 
+		if (atv.tv_usec < 0 || atv.tv_usec >= 1000000)
+			return (EINVAL);
 		TIMEVAL_TO_TIMESPEC(&atv, &ts);
 		if ((error = settime(&ts)) != 0)
 			return (error);
@@ -453,6 +457,9 @@ sys_adjtime(struct proc *p, void *v, register_t *retval)
 		if ((error = copyin(delta, &atv, sizeof(struct timeval))))
 			return (error);
 
+		if (atv.tv_usec < 0 || atv.tv_usec >= 1000000)
+			return (EINVAL);
+
 		/* XXX Check for overflow? */
 		adjtimedelta = (int64_t)atv.tv_sec * 1000000 + atv.tv_usec;
 	}