On 12/20/2018 7:07 PM, Alexandre Belloni wrote:
Hi,
On 20/12/2018 17:36:56+0800, ZhangXiaoxu wrote:
Users may call 'ioctl' and pass a very big value on 'tm->tm_year'.
It can be overflowed in 'int' after add 1900.
In function 'rtc_month_days' and 'mktime64', also treated it as an
'unsigned' parameter.
UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:103:59
signed integer overflow:
2147483647 + 1900 cannot be represented in type 'int'
UBSAN: Undefined behaviour in drivers/rtc/rtc-lib.c:119:30
signed integer overflow:
2147483647 + 1900 cannot be represented in type 'int'
So, covert it to 'unsigned' explicitly.
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@xxxxxxxxxx>
---
drivers/rtc/rtc-lib.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c
index ef160da..9714cb3 100644
--- a/drivers/rtc/rtc-lib.c
+++ b/drivers/rtc/rtc-lib.c
@@ -100,7 +100,7 @@ int rtc_valid_tm(struct rtc_time *tm)
if (tm->tm_year < 70
|| ((unsigned)tm->tm_mon) >= 12
|| tm->tm_mday < 1
- || tm->tm_mday > rtc_month_days(tm->tm_mon, (unsigned)(tm->tm_year + 1900))
+ || tm->tm_mday > rtc_month_days(tm->tm_mon, ((unsigned)tm->tm_year + 1900))
Isn't the cast to unsigned done by rtc_month_days enough?
The undefined behaviour is 'tm->tm_year + 1900', rtc_month_days just convert the result to unsigned.
Also, signed integer overflow is undefined according to the C standard.
|| ((unsigned)tm->tm_hour) >= 24
|| ((unsigned)tm->tm_min) >= 60
|| ((unsigned)tm->tm_sec) >= 60)
@@ -116,8 +116,8 @@ EXPORT_SYMBOL(rtc_valid_tm);
*/
time64_t rtc_tm_to_time64(struct rtc_time *tm)
{
- return mktime64(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
- tm->tm_hour, tm->tm_min, tm->tm_sec);
+ return mktime64(((unsigned)tm->tm_year + 1900), tm->tm_mon + 1,
+ tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec);
mktime64 will fail way before tm->tm_year + 1900 overflows an int and
also it already takes an unsigned int for year so I'm not sure this cast
is actually necessary.
}
EXPORT_SYMBOL(rtc_tm_to_time64);
--
2.7.4
