From owner-svn-src-all@freebsd.org Mon May 6 20:57:49 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8A141595B8A; Mon, 6 May 2019 20:57:49 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B35689E02; Mon, 6 May 2019 20:57:49 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-it1-x141.google.com with SMTP id q132so7527899itc.5; Mon, 06 May 2019 13:57:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=pY1Lsrr8cI9kv057D2G/h8G26TB7RumQBtQgZ/8An0M=; b=f6xcW4Cez7TeWnWCLcxAii2ahxMIObrX42G75JQc69QIAJkNOWrGe+4DgBwv9G1Kk5 ERw54LTEZYCkE8UBfalHYiLfd9yLmU+iVEvzliRxdYdjQnSK/UFhOrAx9+oI4lCmhlwl XHatoBWRMz61w9QgSpObVpVCfrjJ7ODce/0ympSUlYJtz1jwxgwaHlypZpYhv4MXnduv 9MEjdl2XuCDyV5jeiriaoeajBR5mADyE7VyZoXfawpN+wzqMtlSlrRYFI6teL6NNMMW6 AvySz3L1LQB4G17RYhEuI7fV31wegUnsLYMKN321PAqy3sWml/W6eExHxHK51qJ7kgJa Iw8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=pY1Lsrr8cI9kv057D2G/h8G26TB7RumQBtQgZ/8An0M=; b=SeNUFx9yLYMNzH25LRJbbkOGb5LyJ2C+dHCPMHx4XnnT0A5pxXPlvEsFQ+XtXElt07 jdoKQOscrQ137XAZhTx4J8rQlDvWmlrZvqRnr2Qu54AyNJ2Rrg09yoHo7q+Faz0WZ3I3 O5voBC7eppcuqFn1mLk8df7JOqsZVvbnBug9E8yoNxNq6I+7J6CWG8Nhj6qsaK402Aka BNI9g3wSNIgGLPqG+wFgaXQaHiVaO2LtJYsjNGuShFG3yQUxESjpmcCWNBVdYPYqkZng VqeJaBo+ohz0tv2zy2xuy+/avz3pQqIUV6Yz8nO0eOoj7SjTgYZyC0VhfmxW3SLUqqsg AohQ== X-Gm-Message-State: APjAAAXXuszCZF6ChrWUfRuU5Kzf9U7tSiFPUcChj7SiJVQhNrN9ACtu A+PaQEaCrVhPl+V6Jv+pYykaMLBV X-Google-Smtp-Source: APXvYqyAx0Ndi1OwUA0w0JlSCU3EadNQx+4wCCyJlW9hTQbB7eaP4WtAkcZTfJ417278X51QS0Oliw== X-Received: by 2002:a05:6638:2a4:: with SMTP id d4mr20071281jaq.118.1557176268265; Mon, 06 May 2019 13:57:48 -0700 (PDT) Received: from raichu (toroon0560w-lp140-01-69-159-36-31.dsl.bell.ca. [69.159.36.31]) by smtp.gmail.com with ESMTPSA id k192sm1664042ite.36.2019.05.06.13.57.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 06 May 2019 13:57:47 -0700 (PDT) Sender: Mark Johnston Date: Mon, 6 May 2019 16:57:43 -0400 From: Mark Johnston To: John Baldwin Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r347063 - head/sys/kern Message-ID: <20190506205743.GA65083@raichu> References: <201905032126.x43LQilu092655@repo.freebsd.org> <335d828e-ac61-bc59-bac3-f80f27b951c7@FreeBSD.org> <20190506184502.GA35464@raichu> <52484f6b-fdae-565b-6c03-37a63d56ad30@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52484f6b-fdae-565b-6c03-37a63d56ad30@FreeBSD.org> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 5B35689E02 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2019 20:57:50 -0000 On Mon, May 06, 2019 at 01:40:19PM -0700, John Baldwin wrote: > On 5/6/19 11:45 AM, Mark Johnston wrote: > > On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote: > >> On 5/3/19 2:26 PM, Mark Johnston wrote: > >>> Author: markj > >>> Date: Fri May 3 21:26:44 2019 > >>> New Revision: 347063 > >>> URL: https://svnweb.freebsd.org/changeset/base/347063 > >>> > >>> Log: > >>> Disallow excessively small times of day in clock_settime(2). > >>> > >>> Reported by: syzkaller > >>> Reviewed by: cem, kib > >>> MFC after: 1 week > >>> Sponsored by: The FreeBSD Foundation > >>> Differential Revision: https://reviews.freebsd.org/D20151 > >>> > >>> Modified: > >>> head/sys/kern/kern_time.c > >>> > >>> Modified: head/sys/kern/kern_time.c > >>> ============================================================================== > >>> --- head/sys/kern/kern_time.c Fri May 3 21:13:09 2019 (r347062) > >>> +++ head/sys/kern/kern_time.c Fri May 3 21:26:44 2019 (r347063) > >>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_ > >>> if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 || > >>> ats->tv_sec < 0) > >>> return (EINVAL); > >>> - if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60) > >>> + if (!allow_insane_settime && > >>> + (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 || > >>> + ats->tv_sec < utc_offset())) > >>> return (EINVAL); > >>> /* XXX Don't convert nsec->usec and back */ > >>> TIMESPEC_TO_TIMEVAL(&atv, ats); > >> > >> Pardon my ignorance, but I can't see why you are checking against utc_offset() > >> vs some small constant? None of the discussion in the review mentioned the > >> reason for using this particular value, and I didn't see any comparisons > >> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that > >> would have underflowed or panicked. Can you give a bit more detail on why > >> utc_offset() is the lower bound? Thanks. > > > > I chose it because we subtract utc_offset() from the time passed in to > > clock_settime(); see settime_task_func(). That subtraction caused the > > underflow that later caused the observed panics. > > Ok, thanks. A few things I didn't see anyone else note in the review then: > > 1) This subtraction is actually not done for all rtc drivers, so it seems > like we might block small times for RTC clocks that set > CLOCKF_GETTIME_NO_ADJ. The drivers that set NO_ADJ still account for the offset in their individual settime methods. I don't see how it can be correct for any driver to ignore adjkerntz? > 2) utc_offset can be negative for machines using local time in timezones > "before" UTC. Hmm, I believe the patch still handles this case? > I suppose we don't think any FreeBSD machines actually need to set the > running clock to 0 anyway so fixing it here rather than rejecting invalid > values only for RTCs that can't handle it is probably ok, but the > connection doesn't feel obvious that we are rejecting times that might > be non-representable in RTCs. I can add a comment explaining where the comment comes from, assuming there are no objections to keeping the existing change. The placement of the check was motivated by the placement of the pre-existing bounds check, and the fact that we have no good way to signal an error after setting the clock.