From: <charley.ashbringer@gmail.com>
To: <a.zummo@towertech.it>, <alexandre.belloni@bootlin.com>
Cc: <linux-rtc@vger.kernel.org>
Subject: [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days
Date: Fri, 19 Feb 2021 13:51:12 -0500 [thread overview]
Message-ID: <000801d706f0$31f2c370$95d84a50$@gmail.com> (raw)
Hi Alessandro and Alexandre,
Greetings, I'm a 2nd year PhD student who is interested in using UBSan to
the kernel.
Through some experiment, I found a out-of-bound array access in function
rtc_month_days.
More specifically, the through the call chain of
davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days ->
rtc_month_days,
since davinci_rtc_set_time/davinci_rtc_set_alarm are ioctl functions,
thus the 2nd parameter, struct rtc_time *tm, is passed in purely from
user-space which can be any value.
And such a value, tm->tm_mon is used directly as an index to a fixed length
array, rtc_ydays.
This looks very fishy to me.
Although I know that, syzkaller has applied UBSan to this driver before, and
such a simple error cannot evade its detection, I'm still wondering if this
is a true error,
and more importantly, if it's not, then why, this will help me understand
linux a lot.
Looking forward to your valued response!
Best regards,
Changming Liu
next reply other threads:[~2021-02-19 18:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-19 18:51 charley.ashbringer [this message]
2021-02-20 0:35 ` [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days Alexandre Belloni
2021-02-20 17:27 ` charley.ashbringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000801d706f0$31f2c370$95d84a50$@gmail.com' \
--to=charley.ashbringer@gmail.com \
--cc=a.zummo@towertech.it \
--cc=alexandre.belloni@bootlin.com \
--cc=linux-rtc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).