From ced58da749367fa70b00d00959272054aa7ab48a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:27:25 +0100 Subject: nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7. --- src/nspawn/nspawn.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 0474f61d43..5594b87efa 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2317,14 +2317,16 @@ static int inner_child( memcpy_safe(a + 1, arg_parameters, m * sizeof(char*)); a[1 + m] = NULL; - exec_target = a[0] = (char*) "/usr/lib/systemd/systemd"; + a[0] = (char*) "/usr/lib/systemd/systemd"; execve(a[0], a, env_use); - exec_target = a[0] = (char*) "/lib/systemd/systemd"; + a[0] = (char*) "/lib/systemd/systemd"; execve(a[0], a, env_use); - exec_target = a[0] = (char*) "/sbin/init"; + a[0] = (char*) "/sbin/init"; execve(a[0], a, env_use); + + exec_target = "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init"; } else if (!strv_isempty(arg_parameters)) { exec_target = arg_parameters[0]; execvpe(arg_parameters[0], arg_parameters, env_use); @@ -2333,11 +2335,10 @@ static int inner_child( /* If we cannot change the directory, we'll end up in /, that is expected. */ (void) chdir(home ?: "/root"); - exec_target = "/bin/bash"; execle("/bin/bash", "-bash", NULL, env_use); - - exec_target = "/bin/sh"; execle("/bin/sh", "-sh", NULL, env_use); + + exec_target = "/bin/bash, /bin/sh"; } r = -errno; -- cgit v1.2.3-54-g00ecf From c477ff141b875a2a98c90514b6bf23f0436d1f73 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:25:33 +0100 Subject: time: time_t is signed, and mktime() is happy to return negative time Passing a year such as 1960 to mktime() will result in a negative return value. This is quite confusing, as the man page claims that on failure the call will return -1... Given that our own usec_t type is unsigned, and we can't express times before 1970 hence, let's consider all negative times returned by mktime() as invalid, regardless if just -1, or anything else negative. --- src/basic/calendarspec.c | 8 ++++---- src/basic/time-util.c | 9 ++++----- 2 files changed, 8 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c index 2e5622699d..35dfb6a3db 100644 --- a/src/basic/calendarspec.c +++ b/src/basic/calendarspec.c @@ -1020,7 +1020,7 @@ static int find_end_of_month(struct tm *tm, bool utc, int day) { t.tm_mon++; t.tm_mday = 1 - day; - if (mktime_or_timegm(&t, utc) == (time_t) -1 || + if (mktime_or_timegm(&t, utc) < 0 || t.tm_mon != tm->tm_mon) return -1; @@ -1086,7 +1086,7 @@ static bool tm_out_of_bounds(const struct tm *tm, bool utc) { t = *tm; - if (mktime_or_timegm(&t, utc) == (time_t) -1) + if (mktime_or_timegm(&t, utc) < 0) return true; /* @@ -1115,7 +1115,7 @@ static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) { return true; t = *tm; - if (mktime_or_timegm(&t, utc) == (time_t) -1) + if (mktime_or_timegm(&t, utc) < 0) return false; k = t.tm_wday == 0 ? 6 : t.tm_wday - 1; @@ -1238,7 +1238,7 @@ int calendar_spec_next_usec(const CalendarSpec *spec, usec_t usec, usec_t *next) return r; t = mktime_or_timegm(&tm, spec->utc); - if (t == (time_t) -1) + if (t < 0) return -EINVAL; *next = (usec_t) t * USEC_PER_SEC + tm_usec; diff --git a/src/basic/time-util.c b/src/basic/time-util.c index 1310c76336..2b44cdf0b1 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -185,7 +185,7 @@ usec_t triple_timestamp_by_clock(triple_timestamp *ts, clockid_t clock) { usec_t timespec_load(const struct timespec *ts) { assert(ts); - if (ts->tv_sec == (time_t) -1 && ts->tv_nsec == (long) -1) + if (ts->tv_sec < 0 || ts->tv_nsec < 0) return USEC_INFINITY; if ((usec_t) ts->tv_sec > (UINT64_MAX - (ts->tv_nsec / NSEC_PER_USEC)) / USEC_PER_SEC) @@ -199,7 +199,7 @@ usec_t timespec_load(const struct timespec *ts) { nsec_t timespec_load_nsec(const struct timespec *ts) { assert(ts); - if (ts->tv_sec == (time_t) -1 && ts->tv_nsec == (long) -1) + if (ts->tv_sec < 0 || ts->tv_nsec < 0) return NSEC_INFINITY; if ((nsec_t) ts->tv_sec >= (UINT64_MAX - ts->tv_nsec) / NSEC_PER_SEC) @@ -226,8 +226,7 @@ struct timespec *timespec_store(struct timespec *ts, usec_t u) { usec_t timeval_load(const struct timeval *tv) { assert(tv); - if (tv->tv_sec == (time_t) -1 && - tv->tv_usec == (suseconds_t) -1) + if (tv->tv_sec < 0 || tv->tv_usec < 0) return USEC_INFINITY; if ((usec_t) tv->tv_sec > (UINT64_MAX - tv->tv_usec) / USEC_PER_SEC) @@ -830,7 +829,7 @@ parse_usec: from_tm: x = mktime_or_timegm(&tm, utc); - if (x == (time_t) -1) + if (x < 0) return -EINVAL; if (weekday >= 0 && tm.tm_wday != weekday) -- cgit v1.2.3-54-g00ecf From 1bb4b028a380d74cff6399ea1d8ffcf1b2f122bc Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:30:29 +0100 Subject: time-util: refuse formatting/parsing times that we can't store usec_t is always 64bit, which means it can cover quite a number of years. However, 4 digit year display and glibc limitations around time_t limit what we can actually parse and format. Let's make this explicit, so that we never end up formatting dates we can#t parse and vice versa. Note that this is really just about formatting/parsing. Internal calculations with times outside of the formattable range are not affected. --- src/basic/calendarspec.c | 3 +++ src/basic/time-util.c | 11 +++++++++-- src/basic/time-util.h | 11 +++++++++++ src/shared/logs-show.c | 5 +++++ src/test/test-date.c | 10 ++++++++++ src/test/test-time.c | 28 +++++++++++++++++++++++++++- 6 files changed, 65 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c index 35dfb6a3db..3fa1c51ace 100644 --- a/src/basic/calendarspec.c +++ b/src/basic/calendarspec.c @@ -1228,6 +1228,9 @@ int calendar_spec_next_usec(const CalendarSpec *spec, usec_t usec, usec_t *next) assert(spec); assert(next); + if (usec > USEC_TIMESTAMP_FORMATTABLE_MAX) + return -EINVAL; + usec++; t = (time_t) (usec / USEC_PER_SEC); assert_se(localtime_or_gmtime_r(&t, &tm, spec->utc)); diff --git a/src/basic/time-util.c b/src/basic/time-util.c index 2b44cdf0b1..eefbf90923 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -287,9 +287,11 @@ static char *format_timestamp_internal( if (t <= 0 || t == USEC_INFINITY) return NULL; /* Timestamp is unset */ + /* Let's not format times with years > 9999 */ + if (t > USEC_TIMESTAMP_FORMATTABLE_MAX) + return NULL; + sec = (time_t) (t / USEC_PER_SEC); /* Round down */ - if ((usec_t) sec != (t / USEC_PER_SEC)) - return NULL; /* overflow? */ if (!localtime_or_gmtime_r(&sec, &tm, utc)) return NULL; @@ -836,9 +838,14 @@ from_tm: return -EINVAL; ret = (usec_t) x * USEC_PER_SEC + x_usec; + if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX) + return -EINVAL; finish: ret += plus; + if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX) + return -EINVAL; + if (ret > minus) ret -= minus; else diff --git a/src/basic/time-util.h b/src/basic/time-util.h index f67a4474ed..7463507f51 100644 --- a/src/basic/time-util.h +++ b/src/basic/time-util.h @@ -181,3 +181,14 @@ static inline usec_t usec_sub(usec_t timestamp, int64_t delta) { return timestamp - delta; } + +#if SIZEOF_TIME_T == 8 +/* The last second we can format is 31. Dec 9999, 1s before midnight, because otherwise we'd enter 5 digit year + * territory. However, since we want to stay away from this in all timezones we take one day off. */ +#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 253402214399000000) +#elif SIZEOF_TIME_T == 4 +/* With a 32bit time_t we can't go beyond 2038... */ +#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 2147483647000000) +#else +#error "Yuck, time_t is neither 4 not 8 bytes wide?" +#endif diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index 75ea25c8ac..72c43e80cb 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -246,6 +246,11 @@ static int output_timestamp_realtime(FILE *f, sd_journal *j, OutputMode mode, Ou if (r < 0) return log_error_errno(r, "Failed to get realtime timestamp: %m"); + if (x > USEC_TIMESTAMP_FORMATTABLE_MAX) { + log_error("Timestamp cannot be printed"); + return -EINVAL; + } + if (mode == OUTPUT_SHORT_FULL) { const char *k; diff --git a/src/test/test-date.c b/src/test/test-date.c index a8d3f1e083..b77598c81d 100644 --- a/src/test/test-date.c +++ b/src/test/test-date.c @@ -95,6 +95,16 @@ int main(int argc, char *argv[]) { test_one_noutc("@1395716396"); test_should_parse("today UTC"); test_should_fail("today UTC UTC"); + test_should_parse("1970-1-1 UTC"); + test_should_fail("1969-1-1 UTC"); +#if SIZEOF_TIME_T == 8 + test_should_parse("9999-12-30 23:59:59 UTC"); + test_should_fail("9999-12-31 00:00:00 UTC"); + test_should_fail("10000-01-01 00:00:00 UTC"); +#elif SIZEOF_TIME_T == 4 + test_should_parse("2038-01-19 03:14:07 UTC"); + test_should_fail( "2038-01-19 03:14:08 UTC"); +#endif return 0; } diff --git a/src/test/test-time.c b/src/test/test-time.c index 8259491813..911282bf0c 100644 --- a/src/test/test-time.c +++ b/src/test/test-time.c @@ -17,9 +17,10 @@ along with systemd; If not, see . ***/ +#include "random-util.h" +#include "string-util.h" #include "strv.h" #include "time-util.h" -#include "random-util.h" static void test_parse_sec(void) { usec_t u; @@ -248,6 +249,30 @@ static void test_format_timestamp(void) { } } +static void test_format_timestamp_utc_one(usec_t t, const char *result) { + char buf[FORMAT_TIMESTAMP_MAX]; + + assert_se(!format_timestamp_utc(buf, sizeof(buf), t) == !result); + + if (result) + assert_se(streq(result, buf)); +} + +static void test_format_timestamp_utc(void) { + test_format_timestamp_utc_one(0, NULL); + test_format_timestamp_utc_one(1, "Thu 1970-01-01 00:00:00 UTC"); + test_format_timestamp_utc_one(USEC_PER_SEC, "Thu 1970-01-01 00:00:01 UTC"); + +#if SIZEOF_TIME_T == 8 + test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX, "Thu 9999-12-30 23:59:59 UTC"); +#elif SIZEOF_TIME_T == 4 + test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX, "Tue 2038-01-19 03:14:07 UTC"); +#endif + + test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX+1, NULL); + test_format_timestamp_utc_one(USEC_INFINITY, NULL); +} + int main(int argc, char *argv[]) { uintmax_t x; @@ -262,6 +287,7 @@ int main(int argc, char *argv[]) { test_usec_add(); test_usec_sub(); test_format_timestamp(); + test_format_timestamp_utc(); /* Ensure time_t is signed */ assert_cc((time_t) -1 < (time_t) 1); -- cgit v1.2.3-54-g00ecf From f977849c244b789c3530a4da8e00f2ad98c79f1f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:33:36 +0100 Subject: time-util: when converting to time_t do something useful in 2038 On systems where time_t is 32bit we should invalidate the timeval/timespec instead of proceeding with a potentially overflown value. --- src/basic/time-util.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/basic/time-util.c b/src/basic/time-util.c index eefbf90923..4070ee182e 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -211,7 +211,8 @@ nsec_t timespec_load_nsec(const struct timespec *ts) { struct timespec *timespec_store(struct timespec *ts, usec_t u) { assert(ts); - if (u == USEC_INFINITY) { + if (u == USEC_INFINITY || + u / USEC_INFINITY >= TIME_T_MAX) { ts->tv_sec = (time_t) -1; ts->tv_nsec = (long) -1; return ts; @@ -240,7 +241,8 @@ usec_t timeval_load(const struct timeval *tv) { struct timeval *timeval_store(struct timeval *tv, usec_t u) { assert(tv); - if (u == USEC_INFINITY) { + if (u == USEC_INFINITY|| + u / USEC_PER_SEC > TIME_T_MAX) { tv->tv_sec = (time_t) -1; tv->tv_usec = (suseconds_t) -1; } else { -- cgit v1.2.3-54-g00ecf From 74c5b33b0aaed6aae67e858926f5b1558e05b148 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:34:26 +0100 Subject: time-util: when formatting usec_t as raw integers use PRIu64 After all, usec_t is defined as uint64_t, and not as unsigned long long. --- src/basic/time-util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/basic/time-util.c b/src/basic/time-util.c index 4070ee182e..fd86f1d449 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -554,12 +554,12 @@ void dual_timestamp_serialize(FILE *f, const char *name, dual_timestamp *t) { } int dual_timestamp_deserialize(const char *value, dual_timestamp *t) { - unsigned long long a, b; + uint64_t a, b; assert(value); assert(t); - if (sscanf(value, "%llu %llu", &a, &b) != 2) { + if (sscanf(value, "%" PRIu64 "%" PRIu64, &a, &b) != 2) { log_debug("Failed to parse dual timestamp value \"%s\": %m", value); return -EINVAL; } -- cgit v1.2.3-54-g00ecf From 315782db1423021c57d0dacecc48e5d15359c1cf Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:35:00 +0100 Subject: time-util: add overflow checking to monotonic timestamp specifications --- src/basic/time-util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/basic/time-util.c b/src/basic/time-util.c index fd86f1d449..4ced1bc6a1 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -844,6 +844,8 @@ from_tm: return -EINVAL; finish: + if (ret + plus < ret) /* overflow? */ + return -EINVAL; ret += plus; if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX) return -EINVAL; -- cgit v1.2.3-54-g00ecf From ed737400c207b6b909cd6168713e528771693923 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Feb 2017 18:36:15 +0100 Subject: cgls: --machine= expects an argument, indicate that in log messages We gnerally suffix file settings and cmdline options that expect ags with "=" to indicate that. Do so here, too. --- src/cgls/cgls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/cgls/cgls.c b/src/cgls/cgls.c index 82b4d9ccb3..ea79b9185e 100644 --- a/src/cgls/cgls.c +++ b/src/cgls/cgls.c @@ -149,7 +149,7 @@ static int parse_argv(int argc, char *argv[]) { } if (arg_machine && arg_show_unit != SHOW_UNIT_NONE) { - log_error("Cannot combine --unit or --user-unit with --machine."); + log_error("Cannot combine --unit or --user-unit with --machine=."); return -EINVAL; } -- cgit v1.2.3-54-g00ecf