Hi! > From: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx> > Sent: Friday, February 19, 2021 7:35 PM > To: charley.ashbringer@xxxxxxxxx > Cc: a.zummo@xxxxxxxxxxxx; linux-rtc@xxxxxxxxxxxxxxx > Subject: Re: [bug report] out-of-bound array access in drivers/rtc/lib.c > rtc_month_days > > Hello, > > On 19/02/2021 13:51:12-0500, charley.ashbringer@xxxxxxxxx wrote: > > Hi Alessandro and Alexandre, > > Greetings, I'm a 2nd year PhD student who is interested in using UBSan > > to the kernel. > > Through some experiment, I found a out-of-bound array access in > > function rtc_month_days. > > More specifically, the through the call chain of > > davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days -> > > rtc_month_days, since davinci_rtc_set_time/davinci_rtc_set_alarm are > > ioctl functions, thus the 2nd parameter, struct rtc_time *tm, is > > passed in purely from user-space which can be any value. > > This part is not true and is probably what you are missing, the userspace > input is sanitized by the core, see the rtc_valid_tm calls > here: > https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L130 > and here: > https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L457 > Thank you so much for pointing this out, I didn't notice when probing each individual rtc device, there is a devm_rtc_allocate_device which essentially sanitized the ioctl input from the core. This broaden my understanding of how ioctl works a lot, thank you so much! Best regards, Changming > -- > Alexandre Belloni, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
