From owner-svn-src-all@freebsd.org Mon May 6 21:11:48 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0B6A15963FD; Mon, 6 May 2019 21:11:47 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 751428AB24; Mon, 6 May 2019 21:11:47 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-3.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id BFE1F174F4; Mon, 6 May 2019 21:11:46 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: svn commit: r347063 - head/sys/kern To: Mark Johnston Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201905032126.x43LQilu092655@repo.freebsd.org> <335d828e-ac61-bc59-bac3-f80f27b951c7@FreeBSD.org> <20190506184502.GA35464@raichu> <52484f6b-fdae-565b-6c03-37a63d56ad30@FreeBSD.org> <20190506205743.GA65083@raichu> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <85c51618-01ca-2005-388e-52762358320b@FreeBSD.org> Date: Mon, 6 May 2019 14:11:44 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190506205743.GA65083@raichu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 751428AB24 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2019 21:11:48 -0000 On 5/6/19 1:57 PM, Mark Johnston wrote: > On Mon, May 06, 2019 at 01:40:19PM -0700, John Baldwin wrote: >> On 5/6/19 11:45 AM, Mark Johnston wrote: >>> On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote: >>>> On 5/3/19 2:26 PM, Mark Johnston wrote: >>>>> Author: markj >>>>> Date: Fri May 3 21:26:44 2019 >>>>> New Revision: 347063 >>>>> URL: https://svnweb.freebsd.org/changeset/base/347063 >>>>> >>>>> Log: >>>>> Disallow excessively small times of day in clock_settime(2). >>>>> >>>>> Reported by: syzkaller >>>>> Reviewed by: cem, kib >>>>> MFC after: 1 week >>>>> Sponsored by: The FreeBSD Foundation >>>>> Differential Revision: https://reviews.freebsd.org/D20151 >>>>> >>>>> Modified: >>>>> head/sys/kern/kern_time.c >>>>> >>>>> Modified: head/sys/kern/kern_time.c >>>>> ============================================================================== >>>>> --- head/sys/kern/kern_time.c Fri May 3 21:13:09 2019 (r347062) >>>>> +++ head/sys/kern/kern_time.c Fri May 3 21:26:44 2019 (r347063) >>>>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_ >>>>> if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 || >>>>> ats->tv_sec < 0) >>>>> return (EINVAL); >>>>> - if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60) >>>>> + if (!allow_insane_settime && >>>>> + (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 || >>>>> + ats->tv_sec < utc_offset())) >>>>> return (EINVAL); >>>>> /* XXX Don't convert nsec->usec and back */ >>>>> TIMESPEC_TO_TIMEVAL(&atv, ats); >>>> >>>> Pardon my ignorance, but I can't see why you are checking against utc_offset() >>>> vs some small constant? None of the discussion in the review mentioned the >>>> reason for using this particular value, and I didn't see any comparisons >>>> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that >>>> would have underflowed or panicked. Can you give a bit more detail on why >>>> utc_offset() is the lower bound? Thanks. >>> >>> I chose it because we subtract utc_offset() from the time passed in to >>> clock_settime(); see settime_task_func(). That subtraction caused the >>> underflow that later caused the observed panics. >> >> Ok, thanks. A few things I didn't see anyone else note in the review then: >> >> 1) This subtraction is actually not done for all rtc drivers, so it seems >> like we might block small times for RTC clocks that set >> CLOCKF_GETTIME_NO_ADJ. > > The drivers that set NO_ADJ still account for the offset in their > individual settime methods. I don't see how it can be correct for any > driver to ignore adjkerntz? > >> 2) utc_offset can be negative for machines using local time in timezones >> "before" UTC. > > Hmm, I believe the patch still handles this case? Yes, it's just redundant as the earlier 'tv_sec < 0' check means we'll never see a value < utc_offset. One thought I had was similar to what Warner suggested of just using the max value of '24 * 60 * 60', though I suppose the maximal utc_offset is more like '12 * 60 * 60'? utc_offset is probably good enough as is. >> I suppose we don't think any FreeBSD machines actually need to set the >> running clock to 0 anyway so fixing it here rather than rejecting invalid >> values only for RTCs that can't handle it is probably ok, but the >> connection doesn't feel obvious that we are rejecting times that might >> be non-representable in RTCs. > > I can add a comment explaining where the comment comes from, assuming > there are no objections to keeping the existing change. The placement > of the check was motivated by the placement of the pre-existing bounds > check, and the fact that we have no good way to signal an error after > setting the clock. Well, one route we could have chosen would be to let the kernel run at a time the RTC can't represent and in that case we just don't rewrite the RTC and the time will reset to the RTC's time when we reboot. This would rely on the individual RTC drivers ignoring non-representable times in their settime methods. However, the fact that we already ignore times < 0 means we already have an arbitrary lower bound, so I ended up concluding that what you committed was fine. If you can think of a good comment to add that might be helpful to future readers. -- John Baldwin