Hello, On 19/02/2021 13:51:12-0500, charley.ashbringer@xxxxxxxxx wrote: > Hi Alessandro and Alexandre, > Greetings, I'm a 2nd year PhD student who is interested in using UBSan to > the kernel. > Through some experiment, I found a out-of-bound array access in function > rtc_month_days. > More specifically, the through the call chain of > davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days -> > rtc_month_days, > since davinci_rtc_set_time/davinci_rtc_set_alarm are ioctl functions, > thus the 2nd parameter, struct rtc_time *tm, is passed in purely from > user-space which can be any value. This part is not true and is probably what you are missing, the userspace input is sanitized by the core, see the rtc_valid_tm calls here: https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L130 and here: https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L457 > And such a value, tm->tm_mon is used directly as an index to a fixed length > array, rtc_ydays. > This looks very fishy to me. > > Although I know that, syzkaller has applied UBSan to this driver before, and > such a simple error cannot evade its detection, I'm still wondering if this > is a true error, > and more importantly, if it's not, then why, this will help me understand > linux a lot. > > Looking forward to your valued response! > Regards, -- Alexandre Belloni, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
