lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180226180112.GA225858@rodete-desktop-imager.corp.google.com>
Date:   Mon, 26 Feb 2018 10:01:15 -0800
From:   Brian Norris <briannorris@...omium.org>
To:     Jeffy Chen <jeffy.chen@...k-chips.com>
Cc:     linux-kernel@...r.kernel.org, zyw@...k-chips.com,
        briannorris@...gle.com, dianders@...gle.com, jwerner@...omium.org,
        linux-rtc@...r.kernel.org,
        Alexandre Belloni <alexandre.belloni@...tlin.com>,
        Alessandro Zummo <a.zummo@...ertech.it>
Subject: Re: [PATCH] rtc: cros-ec: return -ETIME when refused to set alarms
 in the past

Hi Jeffy,

On Sun, Feb 25, 2018 at 04:18:02PM +0800, Jeffy Chen wrote:
> We have a check in __rtc_set_alarm() to return -ETIME when the alarm
> is in the past.
> 
> Since accessing a Chrome OS EC based rtc is a slow operation, we should
> do that check again inside of the EC rtc driver's .set_alarm() callback.

Thanks for the patch. I'd note that this is related to the race
documented in __rtc_set_alarm() (drivers/rtc/interface.c):

        /*
         * XXX - We just checked to make sure the alarm time is not
         * in the past, but there is still a race window where if
         * the is alarm set for the next second and the second ticks
         * over right here, before we set the alarm.
         */

It feels like we should put this comment somewhere more prominent;
perhaps some kerneldoc for the .set_alarm() callback? Because I suspect
that nearly every RTC driver is susceptible to this problem.

Anyway, I think this patch is helpful, because as you note the EC
protocol is relatively slow (it's much more than just a register write),
but your patch still doesn't really cover the whole problem. Even if you
compare the current time here, time marches on between here and
EC_CMD_RTC_SET_ALARM. So you can still have the same race, where the RTC
makes another tick before we set the alarm? Just think: what if we slept
for a second right after that -ETIME check?

What happens next...depends on the implementation I suppose. It's
possible that an alarm could still immediately fire for a "past" event.
But it's also possible the alarm will get dropped [1].

I wonder if a better solution would be to re-check the clock right after
setting the alarm. If the alarm is already past, then we should return
-ETIME? Is there any harm in double-reporting an alarm? (If so, we could
try to add accounting information somehow...)

I also wonder if that check should be done in the generic code (perhaps
with a flag to opt-in or opt-out?), since this really seems like a
fundamental problem of the interface.

Brian

[1] And lest we think that dropping it is fine: this breaks, e.g.,
hwclock which relies on RTC_UIE_ON -> rtc_update_irq_enable(), which
sets a 1-second alarm and expects it to fire an interrupt.

> Signed-off-by: Jeffy Chen <jeffy.chen@...k-chips.com>
> ---
> 
>  drivers/rtc/rtc-cros-ec.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/rtc/rtc-cros-ec.c b/drivers/rtc/rtc-cros-ec.c
> index f0ea6899c731..ee0062e2d222 100644
> --- a/drivers/rtc/rtc-cros-ec.c
> +++ b/drivers/rtc/rtc-cros-ec.c
> @@ -188,6 +188,10 @@ static int cros_ec_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
>  	if (alarm_time < 0 || alarm_time > U32_MAX)
>  		return -EINVAL;
>  
> +	/* Don't set an alarm in the past. */
> +	if ((u32)alarm_time <= current_time)
> +		return -ETIME;
> +
>  	if (!alrm->enabled) {
>  		/*
>  		 * If the alarm is being disabled, send an alarm
> @@ -196,11 +200,7 @@ static int cros_ec_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
>  		alarm_offset = EC_RTC_ALARM_CLEAR;
>  		cros_ec_rtc->saved_alarm = (u32)alarm_time;
>  	} else {
> -		/* Don't set an alarm in the past. */
> -		if ((u32)alarm_time < current_time)
> -			alarm_offset = EC_RTC_ALARM_CLEAR;
> -		else
> -			alarm_offset = (u32)alarm_time - current_time;
> +		alarm_offset = (u32)alarm_time - current_time;
>  	}
>  
>  	ret = cros_ec_rtc_set(cros_ec, EC_CMD_RTC_SET_ALARM, alarm_offset);
> -- 
> 2.11.0
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ