| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 May 2014 17:09:25 +0200
From: Arnd Bergmann <arnd@...db.de>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
joseph@...esourcery.com, john.stultz@...aro.org, hch@...radead.org,
tglx@...utronix.de, geert@...ux-m68k.org, lftan@...era.com,
linux-fsdevel@...r.kernel.org
Subject: Re: [RFC 02/32] uapi: add struct __kernel_timespec{32,64}
On Friday 30 May 2014 13:18:45 H. Peter Anvin wrote:
> On 05/30/2014 01:01 PM, Arnd Bergmann wrote:
> > We cannot use time_t or any derived structures beyond the year
> > 2038 in interfaces between kernel and user space, on 32-bit
> > machines.
> >
> > This is my suggestion for how to migrate syscall and ioctl
> > interfaces: We completely phase out time_t, timeval and timespec
> > from the uapi header files and replace them with types that are
> > either explicitly safe (__kernel_timespec64), or explicitly
> > unsafe (e.g. __kernel_timespec32). For each unsafe interface,
> > there needs to be a safe replacement interface.
> >
>
> This gets really messy for structures where this is ABI-dependent. I'm
> not sure this is a net win.
We could have an extra '__kernel_oldtimespec' type that we can
use for all ABIs that are today defined in terms of timespec.
What I was mostly trying to avoid here is leaving any 'struct timespec'
in header files, because glibc may define that type differently
depending on a __TIME_BITS macro. This is more of a problem for
ioctls than for system calls.
> > +/*
> > + * __kernel_timespec64 is the general type to be used for
> > + * new user space interfaces passing a time argument.
> > + * 64-bit nanoseconds is a bit silly, but the advantage is
> > + * that it is compatible with the native 'struct timespec'
> > + * on 64-bit user space. This simplifies the compat code.
> > + */
> > +struct __kernel_timespec64 {
> > + long long tv_sec;
> > + long long tv_nsec;
> > +};
>
> So it seems that it is not just POSIX that is drain bramaged with this,
> but the "long" type for tv_nsec idiocy has made it into the C11
> standard. This unfortunately means that now there are two standards
> bodies involved, at least one of which moves very slowly.
My feeling is that our best hope is to completely isolate the kernel
interfaces from what user space wants to have as time_t. glibc for
instance may have a different idea about standards compliance than
android or klibc.
> This makes me wonder if we don't need to deal with the problem in the
> case of 32-bit ABIs with 64-bit time_t. The logical thing seems to be
> to EITHER:
>
> a. ALWAYS ignore the upper 32 bits of tv_nsec when read from user space,
> but always set them to zero, or
> b. Only ignore the upper 32 bits of tv_nsec when we are known to come
> from a 32-bit ABI context, but still always return zero. These bits
> are already only used for validity checking.
>
> This most likely introduces a whole lot of new tests in deep paths,
> although we probably can centralize this in a single function, which
> otherwise ends up looking a lot like compat_get_timespec().
>
> Getting rid of struct timespec on the kernel/user boundary is probably
> not really feasible.
My approach was based on the discussion with Joseph, who would like glibc
to support both 32 and 64 bit time_t using the same libc binary and
versioned symbols. I don't see how that could work when you build a
user space program that sees a timespec in kernel headers and tries
to pass that into a non-translated kernel interface (e.g. ioctl) but
use the same timespec for a glibc-provided function like gettimeofday().
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists