Message ID | 1545298616-62881-1-git-send-email-zhangxiaoxu5@huawei.com |
---|---|
State | Accepted |
Headers | show |
Series | rtc: Fix UBSAN overflow warning | expand |
Hi, On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote: > Users may call 'ioctl' and pass a very big value on 'tm->tm_year'. > It can be overflowed in 'int' after add 1900. > In function 'rtc_month_days' and 'mktime64', also treated it as an > 'unsigned' parameter. > > UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59 > signed integer overflow: > 2147483647 + 1900 cannot be represented in type 'int' > > UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30 > signed integer overflow: > 2147483647 + 1900 cannot be represented in type 'int' > > So, covert it to 'unsigned' explicitly. > > Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> > --- > drivers/rtc/rtc-lib.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c > index ef160da..9714cb3 100644 > --- a/drivers/rtc/rtc-lib.c > +++ b/drivers/rtc/rtc-lib.c > @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm) > if (tm->tm_year < 70 > || ((unsigned)tm->tm_mon) >= 12 > || tm->tm_mday < 1 > - || tm->tm_mday > rtc_month_days(tm->tm_mon, tm->tm_year + 1900) > + || tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900)) Isn't the cast to unsigned done by rtc_month_days enough? > || ((unsigned)tm->tm_hour) >= 24 > || ((unsigned)tm->tm_min) >= 60 > || ((unsigned)tm->tm_sec) >= 60) > @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm); > */ > time64_t rtc_tm_to_time64(struct rtc_time *tm) > { > - return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, > - tm->tm_hour, tm->tm_min, tm->tm_sec); > + return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1, > + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); mktime64 will fail way before tm->tm_year + 1900 overflows an int and also it already takes an unsigned int for year so I'm not sure this cast is actually necessary. > } > EXPORT_SYMBOL(rtc_tm_to_time64); > > -- > 2.7.4 >
On 12/20/2018 7:07 PM, Alexandre Belloni wrote: > Hi, > > On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote: >> Users may call 'ioctl' and pass a very big value on 'tm->tm_year'. >> It can be overflowed in 'int' after add 1900. >> In function 'rtc_month_days' and 'mktime64', also treated it as an >> 'unsigned' parameter. >> >> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59 >> signed integer overflow: >> 2147483647 + 1900 cannot be represented in type 'int' >> >> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30 >> signed integer overflow: >> 2147483647 + 1900 cannot be represented in type 'int' >> >> So, covert it to 'unsigned' explicitly. >> >> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> >> --- >> drivers/rtc/rtc-lib.c | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c >> index ef160da..9714cb3 100644 >> --- a/drivers/rtc/rtc-lib.c >> +++ b/drivers/rtc/rtc-lib.c >> @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm) >> if (tm->tm_year < 70 >> || ((unsigned)tm->tm_mon) >= 12 >> || tm->tm_mday < 1 >> - || tm->tm_mday > rtc_month_days(tm->tm_mon, (unsigned)(tm->tm_year + 1900)) >> + || tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900)) > > Isn't the cast to unsigned done by rtc_month_days enough? The undefined behaviour is 'tm->tm_year + 1900', rtc_month_days just convert the result to unsigned. Also, signed integer overflow is undefined according to the C standard. > >> || ((unsigned)tm->tm_hour) >= 24 >> || ((unsigned)tm->tm_min) >= 60 >> || ((unsigned)tm->tm_sec) >= 60) >> @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm); >> */ >> time64_t rtc_tm_to_time64(struct rtc_time *tm) >> { >> - return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, >> - tm->tm_hour, tm->tm_min, tm->tm_sec); >> + return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1, >> + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); > > mktime64 will fail way before tm->tm_year + 1900 overflows an int and > also it already takes an unsigned int for year so I'm not sure this cast > is actually necessary. > >> } >> EXPORT_SYMBOL(rtc_tm_to_time64); >> >> -- >> 2.7.4 >> >
On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote: > Users may call 'ioctl' and pass a very big value on 'tm->tm_year'. > It can be overflowed in 'int' after add 1900. > In function 'rtc_month_days' and 'mktime64', also treated it as an > 'unsigned' parameter. > > UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59 > signed integer overflow: > 2147483647 + 1900 cannot be represented in type 'int' > > UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30 > signed integer overflow: > 2147483647 + 1900 cannot be represented in type 'int' > > So, covert it to 'unsigned' explicitly. > > Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> > --- > drivers/rtc/rtc-lib.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > Applied, thanks.
diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c index ef160da..9714cb3 100644 --- a/drivers/rtc/rtc-lib.c +++ b/drivers/rtc/rtc-lib.c @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm) if (tm->tm_year < 70 || ((unsigned)tm->tm_mon) >= 12 || tm->tm_mday < 1 - || tm->tm_mday > rtc_month_days(tm->tm_mon, tm->tm_year + 1900) + || tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900)) || ((unsigned)tm->tm_hour) >= 24 || ((unsigned)tm->tm_min) >= 60 || ((unsigned)tm->tm_sec) >= 60) @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm); */ time64_t rtc_tm_to_time64(struct rtc_time *tm) { - return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec); + return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1, + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); } EXPORT_SYMBOL(rtc_tm_to_time64);
Users may call 'ioctl' and pass a very big value on 'tm->tm_year'. It can be overflowed in 'int' after add 1900. In function 'rtc_month_days' and 'mktime64', also treated it as an 'unsigned' parameter. UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59 signed integer overflow: 2147483647 + 1900 cannot be represented in type 'int' UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30 signed integer overflow: 2147483647 + 1900 cannot be represented in type 'int' So, covert it to 'unsigned' explicitly. Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> --- drivers/rtc/rtc-lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)