Bug 141137 - sys_timer_create gets uninitialized struct sigevent via timer_create
sys_timer_create gets uninitialized struct sigevent via timer_create
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2004-11-29 11:20 EST by John Reiser
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-30 17:18:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Reiser 2004-11-29 11:20:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The Linux kernel system call "sys_timer_create" for creating a POSIX
timer reads a user struct sigevent of 64 bytes, but the glibc
timer_create() routine sometimes supplies initialized values only in
the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving
the trailing bytes of the struct uninitialized.  In theory the
.sigev_notify member will be used to control if/when the kernel pays
attention to the remaining bytes, but passing uninitialized values
from the user to the kernel is an unsafe programming practice that may
inhibit future forward+backward compatibility, and does "leak" random
values today.

The entire struct sigevent can be initialized inexpensively by a call
to memset:
-----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()]
      struct timer_node *timer = timer_links2ptr (node);
      list_unlink_ip (node);
      memset(&timer->event, 0, sizeof(timer->event));     /* Safety */
      timer->inuse = TIMER_INUSE;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run testcase rt/tst-timer and look at the second system call to
sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where:
   if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
where the sigevent that the kernel sees belongs internally to glibc,
and was allocated by __timer_alloc().

Actual Results:  Trailing 48 bytes of struct sigevent are
uninitialized at system call to sys_timer_create (on a 32-bit system.)

Expected Results:  The kernel reads no [logically] uninitialized values.

Additional info:  The first system call from rt/tst-timer to
sys_timer_create also has uninitialized bytes in sigev1, but these are
the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed
directly to the kernel.  The second system call uses a another struct
sigevent that is allocated internally by glibc (and not the sigev2
that is passed to the nptl-level timer_create), and this bug is
complaining about the uninit trailing bytes in this internal struct
sigevent obtained from __timer_alloc().
Comment 2 Roland McGrath 2004-11-30 17:18:25 EST
This is not a bug.  It would be wasteful to clear the unused memory, and a
kernel ABI compatibility bug if it ever mattered to do so.

Note You need to log in before you can comment on or make changes to this bug.