141137 – sys_timer_create gets uninitialized struct sigevent via timer_create

Bug 141137 - sys_timer_create gets uninitialized struct sigevent via timer_create

Summary: sys_timer_create gets uninitialized struct sigevent via timer_create

Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-29 16:20 UTC by John Reiser
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2004-11-30 22:18:25 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description John Reiser 2004-11-29 16:20:39 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The Linux kernel system call "sys_timer_create" for creating a POSIX
timer reads a user struct sigevent of 64 bytes, but the glibc
timer_create() routine sometimes supplies initialized values only in
the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving
the trailing bytes of the struct uninitialized.  In theory the
.sigev_notify member will be used to control if/when the kernel pays
attention to the remaining bytes, but passing uninitialized values
from the user to the kernel is an unsafe programming practice that may
inhibit future forward+backward compatibility, and does "leak" random
values today.

The entire struct sigevent can be initialized inexpensively by a call
to memset:
-----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()]
      struct timer_node *timer = timer_links2ptr (node);
      list_unlink_ip (node);
      memset(&timer->event, 0, sizeof(timer->event));     /* Safety */
      timer->inuse = TIMER_INUSE;
-----

Version-Release number of selected component (if applicable):
glibc-2.3.3-74

How reproducible:
Always

Steps to Reproduce:
1. Run testcase rt/tst-timer and look at the second system call to
sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where:
   if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
where the sigevent that the kernel sees belongs internally to glibc,
and was allocated by __timer_alloc().
2.
3.
    

Actual Results:  Trailing 48 bytes of struct sigevent are
uninitialized at system call to sys_timer_create (on a 32-bit system.)

Expected Results:  The kernel reads no [logically] uninitialized values.

Additional info:  The first system call from rt/tst-timer to
sys_timer_create also has uninitialized bytes in sigev1, but these are
the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed
directly to the kernel.  The second system call uses a another struct
sigevent that is allocated internally by glibc (and not the sigev2
that is passed to the nptl-level timer_create), and this bug is
complaining about the uninit trailing bytes in this internal struct
sigevent obtained from __timer_alloc().

Comment 2 Roland McGrath 2004-11-30 22:18:25 UTC

This is not a bug.  It would be wasteful to clear the unused memory, and a
kernel ABI compatibility bug if it ever mattered to do so.

Note You need to log in before you can comment on or make changes to this bug.