Hi,
On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote:
> Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
> It can be overflowed in 'int' after add 1900.
> In function 'rtc_month_days' and 'mktime64', also treated it as an
> 'unsigned' parameter.
>
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
>
> UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
> signed integer overflow:
> 2147483647 + 1900 cannot be represented in type 'int'
>
> So, covert it to 'unsigned' explicitly.
>
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@xxxxxxxxxx>
> ---
> drivers/rtc/rtc-lib.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c
> index ef160da..9714cb3 100644
> --- a/drivers/rtc/rtc-lib.c
> +++ b/drivers/rtc/rtc-lib.c
> @@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm)
> if (tm->tm_year < 70
> || ((unsigned)tm->tm_mon) >= 12
> || tm->tm_mday < 1
> - || tm->tm_mday > rtc_month_days(tm->tm_mon, tm->tm_year + 1900)
> + || tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900))
Isn't the cast to unsigned done by rtc_month_days enough?
> || ((unsigned)tm->tm_hour) >= 24
> || ((unsigned)tm->tm_min) >= 60
> || ((unsigned)tm->tm_sec) >= 60)
> @@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm);
> */
> time64_t rtc_tm_to_time64(struct rtc_time *tm)
> {
> - return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
> - tm->tm_hour, tm->tm_min, tm->tm_sec);
> + return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1,
> + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);
mktime64 will fail way before tm->tm_year + 1900 overflows an int and
also it already takes an unsigned int for year so I'm not sure this cast
is actually necessary.
> }
> EXPORT_SYMBOL(rtc_tm_to_time64);
>
> --
> 2.7.4
>
--
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
