DF-0078
pps_shift/pps_shiftmax sysctl lack range validation allowing UB shift counts in hardpps (root self-DoS)
Summary
kern_ntptime.c:265-266 pps_shiftmax/pps_shift CTLFLAG_RW SYSCTL_INT bypass MOD_PPSMAX clamp (:338-345) that ntp_adjtime API enforces. Root can set >=32 or negative -> hardpps 1<<pps_shift (:787/:806) MAXFREQ<<pps_shift (:804) L_RSHIFT(ftemp,pps_shift) (:824) = UB (C11 6.5.7). Requires PPS_SYNC kernel + root sysctl write + active PPS driver. Impact: corrupted freq-discipline state / timekeeping malfunction (self-DoS). No memcor primitive (results bounded by subsequent range checks :805-810).