| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <erttkpna2hzg7zuddzlocaou2wqcwmgcxfhldwdt55yleie6dm@nfg374fv66fq>
Date: Tue, 15 Apr 2025 00:30:25 +0200
From: Uwe Kleine-König <u.kleine-koenig@...libre.com>
To: Alexandre Mergnat <amergnat@...libre.com>
Cc: Eddie Huang <eddie.huang@...iatek.com>,
Sean Wang <sean.wang@...iatek.com>, Alexandre Belloni <alexandre.belloni@...tlin.com>,
Matthias Brugger <matthias.bgg@...il.com>,
AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>, Rob Herring <robh@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley <conor+dt@...nel.org>,
linux-arm-kernel@...ts.infradead.org, linux-mediatek@...ts.infradead.org, linux-rtc@...r.kernel.org,
linux-kernel@...r.kernel.org, devicetree@...r.kernel.org
Subject: Re: [PATCH v3 3/5] rtc: Fix the RTC time comparison issues adding
cast
Hello Alex,
On Fri, Apr 11, 2025 at 02:35:56PM +0200, Alexandre Mergnat wrote:
> The RTC subsystem was experiencing comparison issues between signed and
> unsigned time values. When comparing time64_t variables (signed) with
> potentially unsigned range values, incorrect results could occur leading
> to runtime errors.
>
> Adds explicit type casts to time64_t for critical RTC time comparisons
> in both class.c and interface.c files. The changes ensure proper
> handling of negative time values during range validation and offset
> calculations, particularly when dealing with timestamps before 1970.
>
> The previous implementation might incorrectly interpret negative values
> as extremely large positive values, causing unexpected behavior in the
> RTC hardware abstraction logic.
>
> Signed-off-by: Alexandre Mergnat <amergnat@...libre.com>
> ---
> drivers/rtc/class.c | 6 +++---
> drivers/rtc/interface.c | 8 ++++----
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
> index e31fa0ad127e9..1ee3f609f92ea 100644
> --- a/drivers/rtc/class.c
> +++ b/drivers/rtc/class.c
> @@ -282,7 +282,7 @@ static void rtc_device_get_offset(struct rtc_device *rtc)
> * then we can not expand the RTC range by adding or subtracting one
> * offset.
> */
> - if (rtc->range_min == rtc->range_max)
> + if (rtc->range_min == (time64_t)rtc->range_max)
> return;
For which values of range_min and range_max does this change result in a
different semantic?
Trying to answer that question myself I wrote two functions:
#include <stdint.h>
int compare_unsigned(uint64_t a, int64_t b)
{
return a == b;
}
int compare_signed(uint64_t a, int64_t b)
{
return (int64_t)a == b;
}
When I compile this (with gcc -Os) the assembly for both functions is
the same (tested for x86_64 and arm32).
> ret = device_property_read_u32(rtc->dev.parent, "start-year",
> @@ -299,7 +299,7 @@ static void rtc_device_get_offset(struct rtc_device *rtc)
> if (!rtc->set_start_time)
> return;
>
> - range_secs = rtc->range_max - rtc->range_min + 1;
> + range_secs = (time64_t)rtc->range_max - rtc->range_min + 1;
In the case where no overflow (or underflow) happens, the result is the
same, isn't it? If there is an overflow, the unsigned variant is
probably the better choice because overflow for signed variables is
undefined behaviour (UB).
Respective demo program looks as follows:
#include <stdint.h>
int test_unsigned(uint64_t a)
{
return a + 3 > a;
}
int test_signed(int64_t a)
{
return a + 3 > a;
}
Using again `gcc -Os`, the signed variant is compiled to a function that
returns true unconditionally while the unsigned one implements the
expected semantic.
> /*
> * If the start_secs is larger than the maximum seconds (rtc->range_max)
> @@ -327,7 +327,7 @@ static void rtc_device_get_offset(struct rtc_device *rtc)
> *
> * Otherwise the offset seconds should be 0.
> */
> - if (rtc->start_secs > rtc->range_max ||
The original comparison uses unsigned semantics. With start_secs signed
and range_max unsigned, this might become true if start_secs is less
than 0.
> + if (rtc->start_secs > (time64_t)rtc->range_max ||
This new comparison has a similar problem: If range_max is bigger than
INT64_MAX, its value interpreted as signed 64bit integer might be a
negative number and so this comparison might become true unexpectedly.
So even if UB doesn't play a role here (I'm not sure), it's not clear to
me why you consider the issue of the unsigned comparison worse than the
signed one.
If this is indeed beneficial, it needs a better explanation than "When
comparing time64_t variables (signed) with potentially unsigned range
values, incorrect results could occur leading to runtime errors.".
Maybe you have to replace
rtc->start_secs > rtc->range_max
by:
rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max
instead?
> rtc->start_secs + range_secs - 1 < rtc->range_min)
> rtc->offset_secs = rtc->start_secs - rtc->range_min;
> else if (rtc->start_secs > rtc->range_min)
I didn't check the other hunks.
All in all I would suggest to split this series in two:
- Adding support for mt6357 in the rtc-mt6359 driver
- Fixing overflow issues in the rtc core
Given that I don't understand the intend of this patch, I cannot say if
it should be included in the 2nd series, or if this is yet another
standalone topic.
Best regards
Uwe
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists