[PATCH] fat: fat2rtc: Sanitize timestamps

[PATCH] fat: fat2rtc: Sanitize timestamps

[Richard Weinberger]

Make sure that tm_mday and tm_mon are within the expected
range. Upper layers such as rtc_calc_weekday() will use
them as lookup keys for arrays and this can cause out of
bounds memory accesses.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/fat/fat.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 2dd9d4e72d..f9096e8932 100644
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -1253,8 +1253,9 @@ out:
  */
 static void __maybe_unused fat2rtc(u16 date, u16 time, struct rtc_time *tm)
 {
-	tm->tm_mday = date & 0x1f;
-	tm->tm_mon = (date & 0x1e0) >> 5;
+	tm->tm_mday = max(1, date & 0x1f);
+	tm->tm_mon = clamp((date & 0x1e0) >> 5, 1, 12);
+
 	tm->tm_year = (date >> 9) + 1980;
 
 	tm->tm_sec = (time & 0x1f) << 1;
-- 
2.35.3

Re: [PATCH] fat: fat2rtc: Sanitize timestamps

[Heinrich Schuchardt]

Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger <richard@nod.at>:
>Make sure that tm_mday and tm_mon are within the expected
>range. Upper layers such as rtc_calc_weekday() will use
>them as lookup keys for arrays and this can cause out of
>bounds memory accesses.

rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?

Having a library function for validating a struct rtc_time would be preferable to repeating ourselves in code.

Best regards

Heinrich

>
>Signed-off-by: Richard Weinberger <richard@nod.at>
>---
> fs/fat/fat.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
>diff --git a/fs/fat/fat.c b/fs/fat/fat.c
>index 2dd9d4e72d..f9096e8932 100644
>--- a/fs/fat/fat.c
>+++ b/fs/fat/fat.c
>@@ -1253,8 +1253,9 @@ out:
>  */
> static void __maybe_unused fat2rtc(u16 date, u16 time, struct rtc_time *tm)
> {
>-	tm->tm_mday = date & 0x1f;
>-	tm->tm_mon = (date & 0x1e0) >> 5;
>+	tm->tm_mday = max(1, date & 0x1f);
>+	tm->tm_mon = clamp((date & 0x1e0) >> 5, 1, 12);
>+
> 	tm->tm_year = (date >> 9) + 1980;
> 
> 	tm->tm_sec = (time & 0x1f) << 1;

Re: [PATCH] fat: fat2rtc: Sanitize timestamps

[Richard Weinberger]

Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream: 
> Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger <richard@nod.at>:
> >Make sure that tm_mday and tm_mon are within the expected
> >range. Upper layers such as rtc_calc_weekday() will use
> >them as lookup keys for arrays and this can cause out of
> >bounds memory accesses.
> 
> rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?

It depends on the overall design.
Functions like strlen() also assume that you provide a valid string,
so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.

In doubt, let's fix both FAT and rtc_calc_weekday().

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y

Re: [PATCH] fat: fat2rtc: Sanitize timestamps

[Heinrich Schuchardt]

On 12.07.24 11:51, Richard Weinberger wrote:
> Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream:
>> Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger <richard@nod.at>:
>>> Make sure that tm_mday and tm_mon are within the expected
>>> range. Upper layers such as rtc_calc_weekday() will use
>>> them as lookup keys for arrays and this can cause out of
>>> bounds memory accesses.
>>
>> rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
>
> It depends on the overall design.
> Functions like strlen() also assume that you provide a valid string,
> so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.
>
> In doubt, let's fix both FAT and rtc_calc_weekday().

Other source locations where the content of struct rtc_time is not
(fully) validated before calling rtc_calc_weekday are

mc146818_get()
mk_date()

to name a few.

Other RTC drivers might also be placing garbage in a struct rtc_time, e.g.

omap_rtc_get()
m41t62_update_rtc_time()

Best regards

Heinrich

Re: [PATCH] fat: fat2rtc: Sanitize timestamps

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]

On Fri, Jul 12, 2024 at 11:51:06AM +0200, Richard Weinberger wrote:
> Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream: 
> > Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger <richard@nod.at>:
> > >Make sure that tm_mday and tm_mon are within the expected
> > >range. Upper layers such as rtc_calc_weekday() will use
> > >them as lookup keys for arrays and this can cause out of
> > >bounds memory accesses.
> > 
> > rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
> 
> It depends on the overall design.
> Functions like strlen() also assume that you provide a valid string,
> so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.
> 
> In doubt, let's fix both FAT and rtc_calc_weekday().

Well, we care about size growth when at all possible. So what if we
don't sanity check in each FS, but just in rtc_calc_weekday() and make
sure callers handle errors?

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]