Bug 141137 - sys_timer_create gets uninitialized struct sigevent via timer_create
Summary: sys_timer_create gets uninitialized struct sigevent via timer_create
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-29 16:20 UTC by John Reiser
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-11-30 22:18:25 UTC


Attachments (Terms of Use)

Description John Reiser 2004-11-29 16:20:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The Linux kernel system call "sys_timer_create" for creating a POSIX
timer reads a user struct sigevent of 64 bytes, but the glibc
timer_create() routine sometimes supplies initialized values only in
the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving
the trailing bytes of the struct uninitialized.  In theory the
.sigev_notify member will be used to control if/when the kernel pays
attention to the remaining bytes, but passing uninitialized values
from the user to the kernel is an unsafe programming practice that may
inhibit future forward+backward compatibility, and does "leak" random
values today.

The entire struct sigevent can be initialized inexpensively by a call
to memset:
-----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()]
      struct timer_node *timer = timer_links2ptr (node);
      list_unlink_ip (node);
      memset(&timer->event, 0, sizeof(timer->event));     /* Safety */
      timer->inuse = TIMER_INUSE;
-----

Version-Release number of selected component (if applicable):
glibc-2.3.3-74

How reproducible:
Always

Steps to Reproduce:
1. Run testcase rt/tst-timer and look at the second system call to
sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where:
   if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
where the sigevent that the kernel sees belongs internally to glibc,
and was allocated by __timer_alloc().
2.
3.
    

Actual Results:  Trailing 48 bytes of struct sigevent are
uninitialized at system call to sys_timer_create (on a 32-bit system.)

Expected Results:  The kernel reads no [logically] uninitialized values.

Additional info:  The first system call from rt/tst-timer to
sys_timer_create also has uninitialized bytes in sigev1, but these are
the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed
directly to the kernel.  The second system call uses a another struct
sigevent that is allocated internally by glibc (and not the sigev2
that is passed to the nptl-level timer_create), and this bug is
complaining about the uninit trailing bytes in this internal struct
sigevent obtained from __timer_alloc().

Comment 2 Roland McGrath 2004-11-30 22:18:25 UTC
This is not a bug.  It would be wasteful to clear the unused memory, and a
kernel ABI compatibility bug if it ever mattered to do so.


Note You need to log in before you can comment on or make changes to this bug.