lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251114122739.994326-1-eslam.medhat1993@gmail.com>
Date: Fri, 14 Nov 2025 14:27:39 +0200
From: Eslam Khafagy <eslam.medhat1993@...il.com>
To: anna-maria@...utronix.de,
	frederic@...nel.org,
	tglx@...utronix.de,
	gorcunov@...il.com
Cc: eslam.medhat1993@...il.com,
	syzkaller-bugs@...glegroups.com,
	linux-kernel@...r.kernel.org,
	syzbot+9c47ad18f978d4394986@...kaller.appspotmail.com
Subject: [PATCH v2] posix-timers: Fix potential memory leak in do_timer_create()

potential memory leak may happen if user space pointer created_timer_id
is invallid. or the value it points to is invalid. the call will
prematurely return.
However it doesn't free the memory it allocates with
alloc_posix_timer(). This patch attempts to fix that by moving parameter
check before alloc_posix_timer().

Reported-by: syzbot+9c47ad18f978d4394986@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
Fixes: ec2d0c04624b3 ("posix-timers: Provide a mechanism to allocate a given timer ID")
Suggested-by: Cyrill Gorcunov <gorcunov@...il.com>
Signed-off-by: Eslam Khafagy <eslam.medhat1993@...il.com>
---
v2:
* Move parameters check before new timer allocation, no need for new
  code.
v1: https://lore.kernel.org/all/20251114050621.875131-1-eslam.medhat1993@gmail.com/T/
---
 kernel/time/posix-timers.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index aa3120104a51..56e17b625c72 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -475,12 +475,6 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
 	if (!kc->timer_create)
 		return -EOPNOTSUPP;
 
-	new_timer = alloc_posix_timer();
-	if (unlikely(!new_timer))
-		return -EAGAIN;
-
-	spin_lock_init(&new_timer->it_lock);
-
 	/* Special case for CRIU to restore timers with a given timer ID. */
 	if (unlikely(current->signal->timer_create_restore_ids)) {
 		if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
@@ -490,6 +484,12 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
 			return -EINVAL;
 	}
 
+	new_timer = alloc_posix_timer();
+	if (unlikely(!new_timer))
+		return -EAGAIN;
+
+	spin_lock_init(&new_timer->it_lock);
+
 	/*
 	 * Add the timer to the hash table. The timer is not yet valid
 	 * after insertion, but has a unique ID allocated.
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ