lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251114050621.875131-1-eslam.medhat1993@gmail.com>
Date: Fri, 14 Nov 2025 07:06:21 +0200
From: Eslam Khafagy <eslam.medhat1993@...il.com>
To: anna-maria@...utronix.de,
	frederic@...nel.org,
	tglx@...utronix.de,
	gorcunov@...il.com
Cc: eslam.medhat1993@...il.com,
	syzkaller-bugs@...glegroups.com,
	linux-kernel@...r.kernel.org,
	syzbot+9c47ad18f978d4394986@...kaller.appspotmail.com
Subject: [PATCH] posix-timers: Fix potential memory leak in do_timer_create()

potential memory leak may happen if user space pointer created_timer_id
is invallid. or the value it points to is invalid. the call will
prematurely return.

However it doesn't free the memory it allocates with
alloc_posix_timer(). This patch attemps to fix that.

Reported-and-tested-by: syzbot+9c47ad18f978d4394986@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
Signed-off-by: Eslam Khafagy <eslam.medhat1993@...il.com>
---
 kernel/time/posix-timers.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index aa3120104a51..46ee10551c63 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -483,11 +483,15 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
 
 	/* Special case for CRIU to restore timers with a given timer ID. */
 	if (unlikely(current->signal->timer_create_restore_ids)) {
-		if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
+		if (copy_from_user(&req_id, created_timer_id, sizeof(req_id))) {
+			posixtimer_free_timer(new_timer);
 			return -EFAULT;
+		}
 		/* Valid IDs are 0..INT_MAX */
-		if ((unsigned int)req_id > INT_MAX)
+		if ((unsigned int)req_id > INT_MAX) {
+			posixtimer_free_timer(new_timer);
 			return -EINVAL;
+		}
 	}
 
 	/*
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ