From fc89a13992384ab8d8fb0c937b021434123bbc49 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Sun, 19 Aug 2012 15:15:59 +0200
Subject: [PATCH] journal: validate timestamps as well

---
 src/journal/fsprg.c          |  2 +-
 src/journal/journal-file.h   | 15 +++++++++++++++
 src/journal/journal-verify.c |  9 +++++++--
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/journal/fsprg.c b/src/journal/fsprg.c
index 34ce3be96..2190b7c79 100644
--- a/src/journal/fsprg.c
+++ b/src/journal/fsprg.c
@@ -160,7 +160,7 @@ static gcry_mpi_t twopowmodphi(uint64_t m, const gcry_mpi_t p) {
         gcry_mpi_sub_ui(phi, p, 1);
 
         /* count number of used bits in m */
-        for (n = 0; ((uint64_t)1 << n) <= m; n++)
+        for (n = 0; (1ULL << n) <= m; n++)
                 ;
 
         r = gcry_mpi_new(0);
diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h
index e2ef03347..7358173e7 100644
--- a/src/journal/journal-file.h
+++ b/src/journal/journal-file.h
@@ -119,6 +119,21 @@ int journal_file_open_reliably(
 #define ALIGN64(x) (((x) + 7ULL) & ~7ULL)
 #define VALID64(x) (((x) & 7ULL) == 0ULL)
 
+static inline bool VALID_REALTIME(uint64_t u) {
+        /* This considers timestamps until the year 3112 valid. That should be plenty room... */
+        return u > 0 && u < (1ULL << 55);
+}
+
+static inline bool VALID_MONOTONIC(uint64_t u) {
+        /* This considers timestamps until 1142 years of runtime valid. */
+        return u < (1ULL << 55);
+}
+
+static inline bool VALID_EPOCH(uint64_t u) {
+        /* This allows changing the key for 1142 years, every usec. */
+        return u < (1ULL << 55);
+}
+
 #define JOURNAL_HEADER_CONTAINS(h, field) \
         (le64toh((h)->header_size) >= offsetof(Header, field) + sizeof((h)->field))
 
diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c
index a31817671..535b2727a 100644
--- a/src/journal/journal-verify.c
+++ b/src/journal/journal-verify.c
@@ -35,8 +35,8 @@
 
 /* FIXME:
  *
- * - write bit mucking test
  * - evolve key even if nothing happened in regular intervals
+ * - add macro for accessing flags
  *
  * - Allow building without libgcrypt
  * - check with sparse
@@ -115,7 +115,8 @@ static int journal_file_object_verify(JournalFile *f, Object *o) {
                         return -EBADMSG;
 
                 if (le64toh(o->entry.seqnum) <= 0 ||
-                    le64toh(o->entry.realtime) <= 0)
+                    !VALID_REALTIME(le64toh(o->entry.realtime)) ||
+                    !VALID_MONOTONIC(le64toh(o->entry.monotonic)))
                         return -EBADMSG;
 
                 for (i = 0; i < journal_file_entry_n_items(o); i++) {
@@ -169,6 +170,10 @@ static int journal_file_object_verify(JournalFile *f, Object *o) {
         case OBJECT_TAG:
                 if (le64toh(o->object.size) != sizeof(TagObject))
                         return -EBADMSG;
+
+                if (!VALID_EPOCH(o->tag.epoch))
+                        return -EBADMSG;
+
                 break;
         }
 
-- 
2.30.2