[bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month

linux-rtc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days
@ 2021-02-19 18:51 charley.ashbringer
  2021-02-20  0:35 ` Alexandre Belloni
  0 siblings, 1 reply; 3+ messages in thread
From: charley.ashbringer @ 2021-02-19 18:51 UTC (permalink / raw)
  To: a.zummo, alexandre.belloni; +Cc: linux-rtc

Hi Alessandro and Alexandre,
Greetings, I'm a 2nd year PhD student who is interested in using UBSan to
the kernel.
Through some experiment, I found a out-of-bound array access in function
rtc_month_days.
More specifically, the through the call chain of 
davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days ->
rtc_month_days,
since davinci_rtc_set_time/davinci_rtc_set_alarm are ioctl functions,
thus the 2nd parameter, struct rtc_time *tm, is passed in purely from
user-space which can be any value.
And such a value, tm->tm_mon is used directly as an index to a fixed length
array, rtc_ydays.
This looks very fishy to me.

Although I know that, syzkaller has applied UBSan to this driver before, and
such a simple error cannot evade its detection, I'm still wondering if this
is a true error,
and more importantly, if it's not, then why, this will help me understand
linux a lot.

Looking forward to your valued response!

Best regards,
Changming Liu

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days
  2021-02-19 18:51 [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days charley.ashbringer
@ 2021-02-20  0:35 ` Alexandre Belloni
  2021-02-20 17:27   ` charley.ashbringer
  0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Belloni @ 2021-02-20  0:35 UTC (permalink / raw)
  To: charley.ashbringer; +Cc: a.zummo, linux-rtc

Hello,

On 19/02/2021 13:51:12-0500, charley.ashbringer@gmail.com wrote:
> Hi Alessandro and Alexandre,
> Greetings, I'm a 2nd year PhD student who is interested in using UBSan to
> the kernel.
> Through some experiment, I found a out-of-bound array access in function
> rtc_month_days.
> More specifically, the through the call chain of 
> davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days ->
> rtc_month_days,
> since davinci_rtc_set_time/davinci_rtc_set_alarm are ioctl functions,
> thus the 2nd parameter, struct rtc_time *tm, is passed in purely from
> user-space which can be any value.

This part is not true and is probably what you are missing, the
userspace input is sanitized by the core, see the rtc_valid_tm calls
here:
https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L130
and here:
https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L457

> And such a value, tm->tm_mon is used directly as an index to a fixed length
> array, rtc_ydays.
> This looks very fishy to me.
> 
> Although I know that, syzkaller has applied UBSan to this driver before, and
> such a simple error cannot evade its detection, I'm still wondering if this
> is a true error,
> and more importantly, if it's not, then why, this will help me understand
> linux a lot.
> 
> Looking forward to your valued response!
> 

Regards,

-- 
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days
  2021-02-20  0:35 ` Alexandre Belloni
@ 2021-02-20 17:27   ` charley.ashbringer
  0 siblings, 0 replies; 3+ messages in thread
From: charley.ashbringer @ 2021-02-20 17:27 UTC (permalink / raw)
  To: 'Alexandre Belloni'; +Cc: a.zummo, linux-rtc

Hi!

> From: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Sent: Friday, February 19, 2021 7:35 PM
> To: charley.ashbringer@gmail.com
> Cc: a.zummo@towertech.it; linux-rtc@vger.kernel.org
> Subject: Re: [bug report] out-of-bound array access in drivers/rtc/lib.c
> rtc_month_days
> 
> Hello,
> 
> On 19/02/2021 13:51:12-0500, charley.ashbringer@gmail.com wrote:
> > Hi Alessandro and Alexandre,
> > Greetings, I'm a 2nd year PhD student who is interested in using UBSan
> > to the kernel.
> > Through some experiment, I found a out-of-bound array access in
> > function rtc_month_days.
> > More specifically, the through the call chain of
> > davinci_rtc_set_time/davinci_rtc_set_alarm -> convert2days ->
> > rtc_month_days, since davinci_rtc_set_time/davinci_rtc_set_alarm are
> > ioctl functions, thus the 2nd parameter, struct rtc_time *tm, is
> > passed in purely from user-space which can be any value.
> 
> This part is not true and is probably what you are missing, the userspace
> input is sanitized by the core, see the rtc_valid_tm calls
> here:
> https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L130
> and here:
> https://elixir.bootlin.com/linux/v5.11/source/drivers/rtc/interface.c#L457
> 

Thank you so much for pointing this out, 
I didn't notice when probing each individual rtc device, 
there is a devm_rtc_allocate_device which essentially 
sanitized the ioctl input from the core.
This broaden my understanding of how ioctl works a lot, 
thank you so much!

Best regards,
Changming

> --
> Alexandre Belloni, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-02-20 17:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-19 18:51 [bug report] out-of-bound array access in drivers/rtc/lib.c rtc_month_days charley.ashbringer
2021-02-20  0:35 ` Alexandre Belloni
2021-02-20 17:27   ` charley.ashbringer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).