| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Dec 2017 18:11:09 +0100 (CET)
From: Thomas Gleixner <tglx@...utronix.de>
To: Eric Biggers <ebiggers3@...il.com>
cc: syzbot
<bot+f7b85b77fd8042059586165494cd708475e87fc3@...kaller.appspotmail.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Subject: Re: general protection fault in string
On Mon, 11 Dec 2017, Eric Biggers wrote:
> On Sat, Dec 02, 2017 at 09:10:01PM -0800, syzbot wrote:
> > ---[ end trace 3570c98033660e3f ]---
>
> The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
> any value, but show_timer() assumes that it has one of a specific set of values.
> Here's a simplified reproducer:
>
> #include <fcntl.h>
> #include <signal.h>
> #include <time.h>
> #include <unistd.h>
>
> int main()
> {
> struct sigevent e = {
> .sigev_signo = 0x1c,
> .sigev_notify = 0x100000,
> };
> timer_t t;
> int fd;
> char buf[64];
>
> timer_create(CLOCK_MONOTONIC, &e, &t);
>
> fd = open("/proc/self/timers", O_RDONLY);
>
> read(fd, buf, sizeof(buf));
> }
>
> I wonder if anything would break if we made sys_timer_create() return -EINVAL
> for unrecognized values of sigev_notify? That's what it *should* do, but it
> seems to be the classic "unchecked flags" bug, yet again...
So this is the 5th time this comes up and I sent a patch the first time. No
answer since than just more repeating reports.
https://marc.info/?l=linux-kernel&m=151204669103208&w=2
Thanks,
tglx
Powered by blists - more mailing lists