lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 8 Dec 2016 20:39:50 -0800
From:   John Stultz <john.stultz@...aro.org>
To:     Ingo Molnar <mingo@...nel.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        David Gibson <david@...son.dropbear.id.au>,
        Liav Rehana <liavr@...lanox.com>,
        Chris Metcalf <cmetcalf@...lanox.com>,
        Richard Cochran <richardcochran@...il.com>,
        Parit Bhargava <prarit@...hat.com>,
        Laurent Vivier <lvivier@...hat.com>,
        "Christopher S. Hall" <christopher.s.hall@...el.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [patch 5/6] [RFD] timekeeping: Provide optional 128bit math

On Thu, Dec 8, 2016 at 8:29 PM, Ingo Molnar <mingo@...nel.org> wrote:
>
> * Ingo Molnar <mingo@...nel.org> wrote:
>
>>
>> * Thomas Gleixner <tglx@...utronix.de> wrote:
>>
>> > If the timekeeping CPU is scheduled out long enough by a hypervisor the
>> > clocksource delta multiplication can overflow and as a result time can go
>> > backwards. That's insane to begin with, but people already triggered a
>> > signed multiplication overflow, so a unsigned overflow is not necessarily
>> > impossible.
>> >
>> > Implement optional 128bit math which can be selected by a config option.
>>
>> What's the rough VM interruption time that would trigger an overflow? Given that
>> the clock shift tk_read_base::mult is often 1, isn't it 32-bit nsecs, i.e. 4
>> seconds?
>>
>> That doesn't sound 'insanely long'.
>>
>> Or some other value?
>
> Ok, wasn't fully awake yet: more realistic values of the scaling factor on x86
> would allow cycles input values of up to ~70 billion with 64-bit math, which would
> allow deltas of up to about 1 minute with 64-bit math.

So if I'm remembering properly, we pick mult/shift pairs such that the
mult shouldn't overflow from ~10 minutes worth of cycles.

> I think we should at least detect (and report?) the overflow and sanitize the
> effects to the max offset instead of generating random overflown values.

So with CONFIG_DEBUG_TIMEKEEPING, we do check to see if the cycle
value is larger then the max_cycles and will report a warning. But
this is done at interrupt time and not in the hotpath.

thanks
-john

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ