rtc: Fix UBSAN overflow warning

Message ID	1545298616-62881-1-git-send-email-zhangxiaoxu5@huawei.com
State	Accepted
Headers	show Return-Path: <linux-rtc-owner@vger.kernel.org> From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> To: <a.zummo@towertech.it>, <alexandre.belloni@bootlin.com>, <linux-rtc@vger.kernel.org> Subject: [PATCH] rtc: Fix UBSAN overflow warning Date: Thu, 20 Dec 2018 17:36:56 +0800 Message-ID: <1545298616-62881-1-git-send-email-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-rtc-owner@vger.kernel.org Precedence: bulk
Series	rtc: Fix UBSAN overflow warning \| expand rtc: Fix UBSAN overflow warning

Message ID

1545298616-62881-1-git-send-email-zhangxiaoxu5@huawei.com

State

Accepted

Headers

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
To: <a.zummo@towertech.it>, <alexandre.belloni@bootlin.com>,
	<linux-rtc@vger.kernel.org>
Subject: [PATCH] rtc: Fix UBSAN overflow warning
Date: Thu, 20 Dec 2018 17:36:56 +0800
Message-ID: <1545298616-62881-1-git-send-email-zhangxiaoxu5@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-rtc-owner@vger.kernel.org
Precedence: bulk

Series

rtc: Fix UBSAN overflow warning | expand

Commit Message

zhangxiaoxu (A) Dec. 20, 2018, 9:36 a.m. UTC

Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
It can be overflowed in 'int' after add 1900.
In function 'rtc_month_days' and 'mktime64', also treated it as an
'unsigned' parameter.

UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
signed integer overflow:
2147483647 + 1900 cannot be represented in type 'int'

UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
signed integer overflow:
2147483647 + 1900 cannot be represented in type 'int'

So, covert it to 'unsigned' explicitly.

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
---
 drivers/rtc/rtc-lib.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Alexandre Belloni Dec. 20, 2018, 11:07 a.m. UTC | #1

Hi,

On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote:
> Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
> It can be overflowed in 'int' after add 1900.
> In function 'rtc_month_days' and 'mktime64', also treated it as an
> 'unsigned' parameter.
> 
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
> 
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
> 
> So, covert it to 'unsigned' explicitly.
> 
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
> ---
>  drivers/rtc/rtc-lib.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c
> index ef160da..9714cb3 100644
> --- a/drivers/rtc/rtc-lib.c
> +++ b/drivers/rtc/rtc-lib.c
> @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm)
>  	if (tm->tm_year < 70
>  		|| ((unsigned)tm->tm_mon) >= 12
>  		|| tm->tm_mday < 1
> -		|| tm->tm_mday > rtc_month_days(tm->tm_mon, tm->tm_year + 1900)
> +		|| tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900))

Isn't the cast to unsigned done by rtc_month_days enough?

>  		|| ((unsigned)tm->tm_hour) >= 24
>  		|| ((unsigned)tm->tm_min) >= 60
>  		|| ((unsigned)tm->tm_sec) >= 60)
> @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm);
>   */
>  time64_t rtc_tm_to_time64(struct rtc_time *tm)
>  {
> -	return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
> -			tm->tm_hour, tm->tm_min, tm->tm_sec);
> +	return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1,
> +			tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);

mktime64 will fail way before tm->tm_year + 1900 overflows an int and
also it already takes an unsigned int for year so I'm not sure this cast
is actually necessary.

>  }
>  EXPORT_SYMBOL(rtc_tm_to_time64);
>  
> -- 
> 2.7.4
>

zhangxiaoxu (A) Dec. 20, 2018, 2:11 p.m. UTC | #2

On 12/20/2018 7:07 PM, Alexandre Belloni wrote:
> Hi,
> 
> On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote:
>> Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
>> It can be overflowed in 'int' after add 1900.
>> In function 'rtc_month_days' and 'mktime64', also treated it as an
>> 'unsigned' parameter.
>>
>> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
>> signed integer overflow:
>> 2147483647 + 1900 cannot be represented in type 'int'
>>
>> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
>> signed integer overflow:
>> 2147483647 + 1900 cannot be represented in type 'int'
>>
>> So, covert it to 'unsigned' explicitly.
>>
>> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
>> ---
>>   drivers/rtc/rtc-lib.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c
>> index ef160da..9714cb3 100644
>> --- a/drivers/rtc/rtc-lib.c
>> +++ b/drivers/rtc/rtc-lib.c
>> @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm)
>>   	if (tm->tm_year < 70
>>   		|| ((unsigned)tm->tm_mon) >= 12
>>   		|| tm->tm_mday < 1
>> -		|| tm->tm_mday > rtc_month_days(tm->tm_mon, (unsigned)(tm->tm_year + 1900))
>> +		|| tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900))
> 
> Isn't the cast to unsigned done by rtc_month_days enough?
The undefined behaviour is 'tm->tm_year + 1900', rtc_month_days just convert the result to unsigned.
Also, signed integer overflow is undefined according to the C standard.
> 
>>   		|| ((unsigned)tm->tm_hour) >= 24
>>   		|| ((unsigned)tm->tm_min) >= 60
>>   		|| ((unsigned)tm->tm_sec) >= 60)
>> @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm);
>>    */
>>   time64_t rtc_tm_to_time64(struct rtc_time *tm)
>>   {
>> -	return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
>> -			tm->tm_hour, tm->tm_min, tm->tm_sec);
>> +	return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1,
>> +			tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);
> 
> mktime64 will fail way before tm->tm_year + 1900 overflows an int and
> also it already takes an unsigned int for year so I'm not sure this cast
> is actually necessary.
> 
>>   }
>>   EXPORT_SYMBOL(rtc_tm_to_time64);
>>   
>> -- 
>> 2.7.4
>>
>

Alexandre Belloni Jan. 10, 2019, 9:03 p.m. UTC | #3

On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote:
> Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
> It can be overflowed in 'int' after add 1900.
> In function 'rtc_month_days' and 'mktime64', also treated it as an
> 'unsigned' parameter.
> 
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
> 
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
> 
> So, covert it to 'unsigned' explicitly.
> 
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
> ---
>  drivers/rtc/rtc-lib.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
Applied, thanks.

diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c
index ef160da..9714cb3 100644
--- a/drivers/rtc/rtc-lib.c
+++ b/drivers/rtc/rtc-lib.c
@@ -100,7 +100,7 @@  int rtc_valid_tm(struct rtc_time *tm)
 	if (tm->tm_year < 70
 		|| ((unsigned)tm->tm_mon) >= 12
 		|| tm->tm_mday < 1
-		|| tm->tm_mday > rtc_month_days(tm->tm_mon, tm->tm_year + 1900)
+		|| tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900))
 		|| ((unsigned)tm->tm_hour) >= 24
 		|| ((unsigned)tm->tm_min) >= 60
 		|| ((unsigned)tm->tm_sec) >= 60)
@@ -116,8 +116,8 @@  EXPORT_SYMBOL(rtc_valid_tm);
  */
 time64_t rtc_tm_to_time64(struct rtc_time *tm)
 {
-	return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
-			tm->tm_hour, tm->tm_min, tm->tm_sec);
+	return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1,
+			tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);
 }
 EXPORT_SYMBOL(rtc_tm_to_time64);

rtc: Fix UBSAN overflow warning

Commit Message

Comments

Patch