Handle NULL return from localtime(3) in ls(1) and find(1)

The ls(1) (with -l option) and find(1) (with -ls option) utilties
segment fault when operating on files with very large modification
times. A recent disk corruption set a spurious bit in the mtime
field of one of my files to 0x8000000630b0167 (576460753965089127)
which is in year 18,266,940,962. I discovered the problem when
running fsck_ffs(8) which uses ctime(3) to convert it to a readable
format. Ctime cannot fit the year into its four character field, so
returns ??? ??? ?? ??:??:?? ???? (typically Thu Nov 24 18:22:48 2021).

With the filesystem mounted, I used `ls -l' to see how it would
report the modification time and it segment faulted. The find(1)
program also segment faulted (see script below). Both these utilities
call the localtime(3) function to decode the modification time.
Localtime(3) returns a pointer to a struct tm (which breaks things
out into its component pieces: year, month, day, hour, minute,
second). The ls(1) and find(1) utilities then print out the date
based on the appropriate fields in the returned tm structure.

Although not documented in the localtime(3) manual page, localtime(3)
returns a NULL pointer if the passed in time translates to a year
that will not fit in an "int" (which if "int" is 32-bits cannot
hold the year 18,266,940,962). Since ls(1) and find(1) do not check
for a NULL struct tm * return from localtime(3), they segment fault
when they try to dereference it.

When localtime(3) returns NULL, the attached patches produce a date
string of "bad date val". This string is chosen because it has the
same number of characters (12) and white spaces (2) as the usual
date string, for example "Sep 3 22:06" or "May 15 2017".

The most recent ANSI standard for localtime(3) does say that localtime(3)
can return NULL (see https://pubs.opengroup.org/onlinepubs/9699919799/
and enter localtime in the search box). Our localtime(3) man page should
be updated to indicate that NULL is a possible return. More importantly,
there are over 100 uses of localtime(3) in the FreeBSD source tree (see
Differential Revision D36474 for the list). Most do not check for a NULL
return from localtime(3).

Reported by:  Peter Holm
Reviewed by:  kib, Chuck Silvers, Warner Losh
MFC after:    2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36474

1 files changed, 6 insertions, 5 deletions

diff --git a/bin/ls/print.c b/bin/ls/print.c
index bbe5c6f8a6f6..5e8a54ca0620 100644
--- a/bin/ls/print.c
+++ b/bin/ls/print.c
@@ -432,18 +432,17 @@ printdev(size_t width, dev_t dev)
 	(void)printf("%#*jx ", (u_int)width, (uintmax_t)dev);
 }
 
-static size_t
+static void
 ls_strftime(char *str, size_t len, const char *fmt, const struct tm *tm)
 {
 	char *posb, nfmt[BUFSIZ];
 	const char *format = fmt;
-	size_t ret;
 
 	if ((posb = strstr(fmt, "%b")) != NULL) {
 		if (month_max_size == 0) {
 			compute_abbreviated_month_size();
 		}
-		if (month_max_size > 0) {
+		if (month_max_size > 0 && tm != NULL) {
 			snprintf(nfmt, sizeof(nfmt),  "%.*s%s%*s%s",
 			    (int)(posb - fmt), fmt,
 			    get_abmon(tm->tm_mon),
@@ -453,8 +452,10 @@ ls_strftime(char *str, size_t len, const char *fmt, const struct tm *tm)
 			format = nfmt;
 		}
 	}
-	ret = strftime(str, len, format, tm);
-	return (ret);
+	if (tm != NULL)
+		strftime(str, len, format, tm);
+	else
+		strlcpy(str, "bad date val", len);
 }
 
 static void