Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 May 2019 13:40:19 -0700
From:      John Baldwin <jhb@FreeBSD.org>
To:        Mark Johnston <markj@freebsd.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r347063 - head/sys/kern
Message-ID:  <52484f6b-fdae-565b-6c03-37a63d56ad30@FreeBSD.org>
In-Reply-To: <20190506184502.GA35464@raichu>
References:  <201905032126.x43LQilu092655@repo.freebsd.org> <335d828e-ac61-bc59-bac3-f80f27b951c7@FreeBSD.org> <20190506184502.GA35464@raichu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 5/6/19 11:45 AM, Mark Johnston wrote:
> On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote:
>> On 5/3/19 2:26 PM, Mark Johnston wrote:
>>> Author: markj
>>> Date: Fri May  3 21:26:44 2019
>>> New Revision: 347063
>>> URL: https://svnweb.freebsd.org/changeset/base/347063
>>>
>>> Log:
>>>   Disallow excessively small times of day in clock_settime(2).
>>>   
>>>   Reported by:	syzkaller
>>>   Reviewed by:	cem, kib
>>>   MFC after:	1 week
>>>   Sponsored by:	The FreeBSD Foundation
>>>   Differential Revision:	https://reviews.freebsd.org/D20151
>>>
>>> Modified:
>>>   head/sys/kern/kern_time.c
>>>
>>> Modified: head/sys/kern/kern_time.c
>>> ==============================================================================
>>> --- head/sys/kern/kern_time.c	Fri May  3 21:13:09 2019	(r347062)
>>> +++ head/sys/kern/kern_time.c	Fri May  3 21:26:44 2019	(r347063)
>>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_
>>>  	if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 ||
>>>  	    ats->tv_sec < 0)
>>>  		return (EINVAL);
>>> -	if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60)
>>> +	if (!allow_insane_settime &&
>>> +	    (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 ||
>>> +	    ats->tv_sec < utc_offset()))
>>>  		return (EINVAL);
>>>  	/* XXX Don't convert nsec->usec and back */
>>>  	TIMESPEC_TO_TIMEVAL(&atv, ats);
>>
>> Pardon my ignorance, but I can't see why you are checking against utc_offset()
>> vs some small constant?  None of the discussion in the review mentioned the
>> reason for using this particular value, and I didn't see any comparisons
>> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that
>> would have underflowed or panicked.  Can you give a bit more detail on why
>> utc_offset() is the lower bound?  Thanks.
> 
> I chose it because we subtract utc_offset() from the time passed in to
> clock_settime(); see settime_task_func().  That subtraction caused the
> underflow that later caused the observed panics.

Ok, thanks.  A few things I didn't see anyone else note in the review then:

1) This subtraction is actually not done for all rtc drivers, so it seems
   like we might block small times for RTC clocks that set
   CLOCKF_GETTIME_NO_ADJ.
2) utc_offset can be negative for machines using local time in timezones
   "before" UTC.

I suppose we don't think any FreeBSD machines actually need to set the
running clock to 0 anyway so fixing it here rather than rejecting invalid
values only for RTCs that can't handle it is probably ok, but the
connection doesn't feel obvious that we are rejecting times that might
be non-representable in RTCs.

-- 
John Baldwin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52484f6b-fdae-565b-6c03-37a63d56ad30>