lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.20.1611152250080.3595@nanos>
Date:   Tue, 15 Nov 2016 22:53:44 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     John Stultz <john.stultz@...aro.org>
cc:     Chris Metcalf <cmetcalf@...lanox.com>,
        Laurent Vivier <lvivier@...hat.com>,
        David Gibson <david@...son.dropbear.id.au>,
        "Christopher S . Hall" <christopher.s.hall@...el.com>,
        lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] time: Avoid signed overflow in
 timekeeping_delta_to_ns()

On Mon, 14 Nov 2016, John Stultz wrote:

> On Mon, Nov 14, 2016 at 11:42 AM, Chris Metcalf <cmetcalf@...lanox.com> wrote:
> > This bugfix was originally made in commit 35a4933a8959 ("time:
> > Avoid signed overflow in timekeeping_get_ns()").  When the code was
> > refactored in commit 6bd58f09e1d8 ("time: Add cycles to nanoseconds
> > translation") the signed overflow fix was lost.  Re-introduce it.
> >
> > Signed-off-by: Chris Metcalf <cmetcalf@...lanox.com>
> > ---
> > I happened to be looking for an unrelated fix, found this code,
> > realized the tip code didn't match the fixed code, and
> > backtracked to where it had gone away.
> >
> >  kernel/time/timekeeping.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> > index 37dec7e3db43..57926bc7b7f3 100644
> > --- a/kernel/time/timekeeping.c
> > +++ b/kernel/time/timekeeping.c
> > @@ -304,8 +304,7 @@ static inline s64 timekeeping_delta_to_ns(struct tk_read_base *tkr,
> >  {
> >         s64 nsec;
> >
> > -       nsec = delta * tkr->mult + tkr->xtime_nsec;
> > -       nsec >>= tkr->shift;
> > +       nsec = (delta * tkr->mult + tkr->xtime_nsec) >> tkr->shift;
> 
> Ugh.
> 
> So... I think this proves the original fix was *far* too subtle to
> maintain. So I think reintroducing it as-is doesn't protect us from
> undoing it.  If the problem is really using the signed intermediate
> nsec value, we should get rid of that.

As I told the other guy who submitted something similar: This is not really
helpful. It merily drags the overflow case out by a factor of 2.

So we really need to figure out under which circumstances this can happen
and fixup either the callsites or detect the condition right there, which
I'd like to avoid for the hotpath.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ