svn commit: r347063 - head/sys/kern
Mark Johnston
markj at freebsd.org
Mon May 6 20:57:50 UTC 2019
On Mon, May 06, 2019 at 01:40:19PM -0700, John Baldwin wrote:
> On 5/6/19 11:45 AM, Mark Johnston wrote:
> > On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote:
> >> On 5/3/19 2:26 PM, Mark Johnston wrote:
> >>> Author: markj
> >>> Date: Fri May 3 21:26:44 2019
> >>> New Revision: 347063
> >>> URL: https://svnweb.freebsd.org/changeset/base/347063
> >>>
> >>> Log:
> >>> Disallow excessively small times of day in clock_settime(2).
> >>>
> >>> Reported by: syzkaller
> >>> Reviewed by: cem, kib
> >>> MFC after: 1 week
> >>> Sponsored by: The FreeBSD Foundation
> >>> Differential Revision: https://reviews.freebsd.org/D20151
> >>>
> >>> Modified:
> >>> head/sys/kern/kern_time.c
> >>>
> >>> Modified: head/sys/kern/kern_time.c
> >>> ==============================================================================
> >>> --- head/sys/kern/kern_time.c Fri May 3 21:13:09 2019 (r347062)
> >>> +++ head/sys/kern/kern_time.c Fri May 3 21:26:44 2019 (r347063)
> >>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_
> >>> if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 ||
> >>> ats->tv_sec < 0)
> >>> return (EINVAL);
> >>> - if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60)
> >>> + if (!allow_insane_settime &&
> >>> + (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 ||
> >>> + ats->tv_sec < utc_offset()))
> >>> return (EINVAL);
> >>> /* XXX Don't convert nsec->usec and back */
> >>> TIMESPEC_TO_TIMEVAL(&atv, ats);
> >>
> >> Pardon my ignorance, but I can't see why you are checking against utc_offset()
> >> vs some small constant? None of the discussion in the review mentioned the
> >> reason for using this particular value, and I didn't see any comparisons
> >> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that
> >> would have underflowed or panicked. Can you give a bit more detail on why
> >> utc_offset() is the lower bound? Thanks.
> >
> > I chose it because we subtract utc_offset() from the time passed in to
> > clock_settime(); see settime_task_func(). That subtraction caused the
> > underflow that later caused the observed panics.
>
> Ok, thanks. A few things I didn't see anyone else note in the review then:
>
> 1) This subtraction is actually not done for all rtc drivers, so it seems
> like we might block small times for RTC clocks that set
> CLOCKF_GETTIME_NO_ADJ.
The drivers that set NO_ADJ still account for the offset in their
individual settime methods. I don't see how it can be correct for any
driver to ignore adjkerntz?
> 2) utc_offset can be negative for machines using local time in timezones
> "before" UTC.
Hmm, I believe the patch still handles this case?
> I suppose we don't think any FreeBSD machines actually need to set the
> running clock to 0 anyway so fixing it here rather than rejecting invalid
> values only for RTCs that can't handle it is probably ok, but the
> connection doesn't feel obvious that we are rejecting times that might
> be non-representable in RTCs.
I can add a comment explaining where the comment comes from, assuming
there are no objections to keeping the existing change. The placement
of the check was motivated by the placement of the pre-existing bounds
check, and the fact that we have no good way to signal an error after
setting the clock.
More information about the svn-src-all
mailing list