svn commit: r347063 - head/sys/kern

Rodney W. Grimes freebsd at gndrsh.dnsmgr.net
Mon May 6 21:03:14 UTC 2019 

> On Mon, May 06, 2019 at 01:40:19PM -0700, John Baldwin wrote:
> > On 5/6/19 11:45 AM, Mark Johnston wrote:
> > > On Mon, May 06, 2019 at 11:07:18AM -0700, John Baldwin wrote:
> > >> On 5/3/19 2:26 PM, Mark Johnston wrote:
> > >>> Author: markj
> > >>> Date: Fri May  3 21:26:44 2019
> > >>> New Revision: 347063
> > >>> URL: https://svnweb.freebsd.org/changeset/base/347063
> > >>>
> > >>> Log:
> > >>>   Disallow excessively small times of day in clock_settime(2).
> > >>>   
> > >>>   Reported by:	syzkaller
> > >>>   Reviewed by:	cem, kib
> > >>>   MFC after:	1 week
> > >>>   Sponsored by:	The FreeBSD Foundation
> > >>>   Differential Revision:	https://reviews.freebsd.org/D20151
> > >>>
> > >>> Modified:
> > >>>   head/sys/kern/kern_time.c
> > >>>
> > >>> Modified: head/sys/kern/kern_time.c
> > >>> ==============================================================================
> > >>> --- head/sys/kern/kern_time.c	Fri May  3 21:13:09 2019	(r347062)
> > >>> +++ head/sys/kern/kern_time.c	Fri May  3 21:26:44 2019	(r347063)
> > >>> @@ -412,7 +412,9 @@ kern_clock_settime(struct thread *td, clockid_t clock_
> > >>>  	if (ats->tv_nsec < 0 || ats->tv_nsec >= 1000000000 ||
> > >>>  	    ats->tv_sec < 0)
> > >>>  		return (EINVAL);
> > >>> -	if (!allow_insane_settime && ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60)
> > >>> +	if (!allow_insane_settime &&
> > >>> +	    (ats->tv_sec > 8000ULL * 365 * 24 * 60 * 60 ||
> > >>> +	    ats->tv_sec < utc_offset()))
> > >>>  		return (EINVAL);
> > >>>  	/* XXX Don't convert nsec->usec and back */
> > >>>  	TIMESPEC_TO_TIMEVAL(&atv, ats);
> > >>
> > >> Pardon my ignorance, but I can't see why you are checking against utc_offset()
> > >> vs some small constant?  None of the discussion in the review mentioned the
> > >> reason for using this particular value, and I didn't see any comparisons
> > >> against utc_offset or kernadjtz in kern_clock_setttime() or settime() that
> > >> would have underflowed or panicked.  Can you give a bit more detail on why
> > >> utc_offset() is the lower bound?  Thanks.
> > > 
> > > I chose it because we subtract utc_offset() from the time passed in to
> > > clock_settime(); see settime_task_func().  That subtraction caused the
> > > underflow that later caused the observed panics.
> > 
> > Ok, thanks.  A few things I didn't see anyone else note in the review then:
> > 
> > 1) This subtraction is actually not done for all rtc drivers, so it seems
> >    like we might block small times for RTC clocks that set
> >    CLOCKF_GETTIME_NO_ADJ.
> 
> The drivers that set NO_ADJ still account for the offset in their
> individual settime methods.  I don't see how it can be correct for any
> driver to ignore adjkerntz?
> 
> > 2) utc_offset can be negative for machines using local time in timezones
> >    "before" UTC.
> 
> Hmm, I believe the patch still handles this case?

It should, as for the negative utc_offset the subtract actually
increases the value and thus no wrapping through 0 occurs.

> > I suppose we don't think any FreeBSD machines actually need to set the
> > running clock to 0 anyway so fixing it here rather than rejecting invalid
> > values only for RTCs that can't handle it is probably ok, but the
> > connection doesn't feel obvious that we are rejecting times that might
> > be non-representable in RTCs.
> 
> I can add a comment explaining where the comment comes from, assuming
> there are no objections to keeping the existing change.  The placement
> of the check was motivated by the placement of the pre-existing bounds
> check, and the fact that we have no good way to signal an error after
> setting the clock.

The later works for me.  Would it make since to mark the code
where the subtraction is done too, sighting the above code and
comment?

-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the svn-src-all mailing list