lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 1 May 2019 16:25:13 +0200
From:   Alexandre Belloni <alexandre.belloni@...tlin.com>
To:     Trent Piepho <tpiepho@...inj.com>
Cc:     "patrice.chotard@...com" <patrice.chotard@...com>,
        "linux-rtc@...r.kernel.org" <linux-rtc@...r.kernel.org>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] rtc: st-lpc: remove unnecessary check

On 30/04/2019 22:31:19+0000, Trent Piepho wrote:
> On Tue, 2019-04-30 at 22:18 +0200, Alexandre Belloni wrote:
> > The RTC core already ensures the alarm is set to a time in the future, it
> > is not necessary to check again in the driver.
> 
> My reading of the rtc core code is that it checks if the alarm is in
> the future *twice* before handing off the set call to the driver, which
> possibly checks a 3rd time (as seen here).
> 
> However, all these checks are done *before* setting the alarm.  It
> still possible to have a race and set the alarm after the time has
> already passed, in which case the alarm will never fire.
> 

I agree the core need to handle that possible race better and this is
something I'm planning to work on.

> The way to fix the race would be to have the driver check the alarm
> *after* setting it.  In precisely this order, do these steps:
> 
> 1. Set alarm in RTC, to Talarm
> 2. Get time from RTC, as Tcurrent
> 3. Get alarm status from RTC
> 
> If Talarm < Tcurrent, alarm was set to future time, no error

This should be Talarm > Tcurrent, right?

> Else
>   If status == fired, alarm was set and has since fired, no error
>   Else status == not fired, alarm was set in past, EINVAL
> 
> This should be race free.
> 
> 
> >  
> > -	/* Invalid alarm time */
> > -	if (now_secs > alarm_secs)
> > -		return -EINVAL;
> > -
> >  	memcpy(&rtc->alarm, t, sizeof(struct rtc_wkalrm));
> >  
> >  	/* Now many secs to fire */
>         alarm_secs -= now_secs;
>         lpa = (unsigned long long)alarm_secs * rtc->clkrate;
> 
> While it's true the time wouldn't normally be in past, it still races,
> as describe above. In that case, the math here underflows alarm_secs,
> so it probably still makes sense to check.

I can't believe you can possibly have more than one second between the
check in the core and the check in the driver, it doesn't make much
sense to check, even in the current state of the core.

-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Powered by blists - more mailing lists