From owner-svn-src-all@freebsd.org Mon May 6 21:03:14 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 547F91595FFB; Mon, 6 May 2019 21:03:14 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C41AC8A54D; Mon, 6 May 2019 21:03:13 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x46L3BJD008438; Mon, 6 May 2019 14:03:11 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x46L3BSW008437; Mon, 6 May 2019 14:03:11 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201905062103.x46L3BSW008437@gndrsh.dnsmgr.net> Subject: Re: svn commit: r347063 - head/sys/kern In-Reply-To: <20190506205743.GA65083@raichu> To: Mark Johnston Date: Mon, 6 May 2019 14:03:11 -0700 (PDT) CC: John Baldwin , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: C41AC8A54D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.983,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2019 21:03:14 -0000 > On Mon, May 06, 2019 at 01:40:19PM -0700, John Baldwin wrote: > > On 5/6/19 11:45 AM, Mark Johnston wrote: > > > On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote: > > >> On 5/3/19 2:26 PM, Mark Johnston wrote: > > >>> Author: markj > > >>> Date: Fri May 3 21:26:44 2019 > > >>> New Revision: 347063 > > >>> URL: https://svnweb.freebsd.org/changeset/base/347063 > > >>> > > >>> Log: > > >>> Disallow excessively small times of day in clock_settime(2). > > >>> > > >>> Reported by: syzkaller > > >>> Reviewed by: cem, kib > > >>> MFC after: 1 week > > >>> Sponsored by: The FreeBSD Foundation > > >>> Differential Revision: https://reviews.freebsd.org/D20151 > > >>> > > >>> Modified: > > >>> head/sys/kern/kern_time.c > > >>> > > >>> Modified: head/sys/kern/kern_time.c > > >>> ============================================================================== > > >>> --- head/sys/kern/kern_time.c Fri May 3 21:13:09 2019 (r347062) > > >>> +++ head/sys/kern/kern_time.c Fri May 3 21:26:44 2019 (r347063) > > >>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_ > > >>> if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 || > > >>> ats->tv_sec < 0) > > >>> return (EINVAL); > > >>> - if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60) > > >>> + if (!allow_insane_settime && > > >>> + (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 || > > >>> + ats->tv_sec < utc_offset())) > > >>> return (EINVAL); > > >>> /* XXX Don't convert nsec->usec and back */ > > >>> TIMESPEC_TO_TIMEVAL(&atv, ats); > > >> > > >> Pardon my ignorance, but I can't see why you are checking against utc_offset() > > >> vs some small constant? None of the discussion in the review mentioned the > > >> reason for using this particular value, and I didn't see any comparisons > > >> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that > > >> would have underflowed or panicked. Can you give a bit more detail on why > > >> utc_offset() is the lower bound? Thanks. > > > > > > I chose it because we subtract utc_offset() from the time passed in to > > > clock_settime(); see settime_task_func(). That subtraction caused the > > > underflow that later caused the observed panics. > > > > Ok, thanks. A few things I didn't see anyone else note in the review then: > > > > 1) This subtraction is actually not done for all rtc drivers, so it seems > > like we might block small times for RTC clocks that set > > CLOCKF_GETTIME_NO_ADJ. > > The drivers that set NO_ADJ still account for the offset in their > individual settime methods. I don't see how it can be correct for any > driver to ignore adjkerntz? > > > 2) utc_offset can be negative for machines using local time in timezones > > "before" UTC. > > Hmm, I believe the patch still handles this case? It should, as for the negative utc_offset the subtract actually increases the value and thus no wrapping through 0 occurs. > > I suppose we don't think any FreeBSD machines actually need to set the > > running clock to 0 anyway so fixing it here rather than rejecting invalid > > values only for RTCs that can't handle it is probably ok, but the > > connection doesn't feel obvious that we are rejecting times that might > > be non-representable in RTCs. > > I can add a comment explaining where the comment comes from, assuming > there are no objections to keeping the existing change. The placement > of the check was motivated by the placement of the pre-existing bounds > check, and the fact that we have no good way to signal an error after > setting the clock. The later works for me. Would it make since to mark the code where the subtraction is done too, sighting the above code and comment? -- Rod Grimes rgrimes@freebsd.org