| Message ID | 1313183070-16724-1-git-send-email-mikew@google.com |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Aug 12, 2011 at 2:04 PM, Mike Waychison <mikew@google.com> wrote: > Even though the Linux kernel does not use the tm_isdst field, it is > exposed as part of the ABI. This field can accidentally be left > initialized, which is why we currently memset buffers returned to > userland in rtc_read_time. > > There is a case however where the field can return garbage from the > stack though when using the RTC_ALM_READ ioctl on the rtc device. This > ioctl invokes rtc_read_alarm, which is careful to memset the rtc_wkalrm > buffer that is copied to userland, but it then uses a struct copy to > assign to alarm->time given the return value from rtc_ktime_to_tm(). > > rtc_ktime_to_tm() is implemented by calling rtc_time_to_tm using a > derivative seconds counds from ktime, but rtc_time_to_tm does not assign > a value to ->tm_isdst. This results in garbage from rtc_ktime_to_tm()'s > frame ending up being copied out to userland as part of the returned > rtc_wkalrm. Thanks for catching this! I've queued this in my tree. thanks -john
diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c index 075f170..c4cf057 100644 --- a/drivers/rtc/rtc-lib.c +++ b/drivers/rtc/rtc-lib.c @@ -85,6 +85,8 @@ void rtc_time_to_tm(unsigned long time, struct rtc_time *tm) time -= tm->tm_hour * 3600; tm->tm_min = time / 60; tm->tm_sec = time - tm->tm_min * 60; + + tm->tm_isdst = 0; } EXPORT_SYMBOL(rtc_time_to_tm);
Even though the Linux kernel does not use the tm_isdst field, it is exposed as part of the ABI. This field can accidentally be left initialized, which is why we currently memset buffers returned to userland in rtc_read_time. There is a case however where the field can return garbage from the stack though when using the RTC_ALM_READ ioctl on the rtc device. This ioctl invokes rtc_read_alarm, which is careful to memset the rtc_wkalrm buffer that is copied to userland, but it then uses a struct copy to assign to alarm->time given the return value from rtc_ktime_to_tm(). rtc_ktime_to_tm() is implemented by calling rtc_time_to_tm using a derivative seconds counds from ktime, but rtc_time_to_tm does not assign a value to ->tm_isdst. This results in garbage from rtc_ktime_to_tm()'s frame ending up being copied out to userland as part of the returned rtc_wkalrm. Fix this by initializing rtc_time->tm_isdst to 0 in rtc_time_to_tm. Signed-off-by: Mike Waychison <mikew@google.com> --- drivers/rtc/rtc-lib.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)