[PATCH] fat: fat2rtc: Sanitize timestamps
Make sure that tm_mday and tm_mon are within the expected range. Upper layers such as rtc_calc_weekday() will use them as lookup keys for arrays and this can cause out of bounds memory accesses.
Signed-off-by: Richard Weinberger richard@nod.at --- fs/fat/fat.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/fat/fat.c b/fs/fat/fat.c index 2dd9d4e72d..f9096e8932 100644 --- a/fs/fat/fat.c +++ b/fs/fat/fat.c @@ -1253,8 +1253,9 @@ out: */ static void __maybe_unused fat2rtc(u16 date, u16 time, struct rtc_time *tm) { - tm->tm_mday = date & 0x1f; - tm->tm_mon = (date & 0x1e0) >> 5; + tm->tm_mday = max(1, date & 0x1f); + tm->tm_mon = clamp((date & 0x1e0) >> 5, 1, 12); + tm->tm_year = (date >> 9) + 1980;
tm->tm_sec = (time & 0x1f) << 1;
Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger richard@nod.at:
Make sure that tm_mday and tm_mon are within the expected range. Upper layers such as rtc_calc_weekday() will use them as lookup keys for arrays and this can cause out of bounds memory accesses.
rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
Having a library function for validating a struct rtc_time would be preferable to repeating ourselves in code.
Best regards
Heinrich
Signed-off-by: Richard Weinberger richard@nod.at
fs/fat/fat.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/fat/fat.c b/fs/fat/fat.c index 2dd9d4e72d..f9096e8932 100644 --- a/fs/fat/fat.c +++ b/fs/fat/fat.c @@ -1253,8 +1253,9 @@ out: */ static void __maybe_unused fat2rtc(u16 date, u16 time, struct rtc_time *tm) {
- tm->tm_mday = date & 0x1f;
- tm->tm_mon = (date & 0x1e0) >> 5;
tm->tm_mday = max(1, date & 0x1f);
tm->tm_mon = clamp((date & 0x1e0) >> 5, 1, 12);
tm->tm_year = (date >> 9) + 1980;
tm->tm_sec = (time & 0x1f) << 1;
Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream:
Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger richard@nod.at:
Make sure that tm_mday and tm_mon are within the expected range. Upper layers such as rtc_calc_weekday() will use them as lookup keys for arrays and this can cause out of bounds memory accesses.
rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
It depends on the overall design. Functions like strlen() also assume that you provide a valid string, so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.
In doubt, let's fix both FAT and rtc_calc_weekday().
Thanks, //richard
On 12.07.24 11:51, Richard Weinberger wrote:
Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream:
Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger richard@nod.at:
Make sure that tm_mday and tm_mon are within the expected range. Upper layers such as rtc_calc_weekday() will use them as lookup keys for arrays and this can cause out of bounds memory accesses.
rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
It depends on the overall design. Functions like strlen() also assume that you provide a valid string, so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.
In doubt, let's fix both FAT and rtc_calc_weekday().
Other source locations where the content of struct rtc_time is not (fully) validated before calling rtc_calc_weekday are
mc146818_get() mk_date()
to name a few.
Other RTC drivers might also be placing garbage in a struct rtc_time, e.g.
omap_rtc_get() m41t62_update_rtc_time()
Best regards
Heinrich
On Fri, Jul 12, 2024 at 11:51:06AM +0200, Richard Weinberger wrote:
Am Freitag, 12. Juli 2024, 11:46:08 CEST schrieb 'Heinrich Schuchardt' via upstream:
Am 12. Juli 2024 10:24:54 MESZ schrieb Richard Weinberger richard@nod.at:
Make sure that tm_mday and tm_mon are within the expected range. Upper layers such as rtc_calc_weekday() will use them as lookup keys for arrays and this can cause out of bounds memory accesses.
rtc_calc_weekday() might receive invalid input from other sources. Shouldn't the function always validate its input before array access?
It depends on the overall design. Functions like strlen() also assume that you provide a valid string, so rtc_calc_weekday() can assume too that the passed rtc_time structure contains valid data.
In doubt, let's fix both FAT and rtc_calc_weekday().
Well, we care about size growth when at all possible. So what if we don't sanity check in each FS, but just in rtc_calc_weekday() and make sure callers handle errors?
participants (4)
-
Heinrich Schuchardt -
Richard Weinberger -
Richard Weinberger -
Tom Rini