This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
First Last Prev Next    This bug is not in your last search results.
Bug 141137 - sys_timer_create gets uninitialized struct sigevent via timer_create
sys_timer_create gets uninitialized struct sigevent via timer_create
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-29 11:20 EST by John Reiser
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-30 17:18:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description John Reiser 2004-11-29 11:20:39 EST 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The Linux kernel system call "sys_timer_create" for creating a POSIX
timer reads a user struct sigevent of 64 bytes, but the glibc
timer_create() routine sometimes supplies initialized values only in
the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving
the trailing bytes of the struct uninitialized.  In theory the
.sigev_notify member will be used to control if/when the kernel pays
attention to the remaining bytes, but passing uninitialized values
from the user to the kernel is an unsafe programming practice that may
inhibit future forward+backward compatibility, and does "leak" random
values today.

The entire struct sigevent can be initialized inexpensively by a call
to memset:
-----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()]
      struct timer_node *timer = timer_links2ptr (node);
      list_unlink_ip (node);
      memset(&timer->event, 0, sizeof(timer->event));     /* Safety */
      timer->inuse = TIMER_INUSE;
-----

Version-Release number of selected component (if applicable):
glibc-2.3.3-74

How reproducible:
Always

Steps to Reproduce:
1. Run testcase rt/tst-timer and look at the second system call to
sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where:
   if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
where the sigevent that the kernel sees belongs internally to glibc,
and was allocated by __timer_alloc().
2.
3.
    

Actual Results:  Trailing 48 bytes of struct sigevent are
uninitialized at system call to sys_timer_create (on a 32-bit system.)

Expected Results:  The kernel reads no [logically] uninitialized values.

Additional info:  The first system call from rt/tst-timer to
sys_timer_create also has uninitialized bytes in sigev1, but these are
the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed
directly to the kernel.  The second system call uses a another struct
sigevent that is allocated internally by glibc (and not the sigev2
that is passed to the nptl-level timer_create), and this bug is
complaining about the uninit trailing bytes in this internal struct
sigevent obtained from __timer_alloc().
Comment 2 Roland McGrath 2004-11-30 17:18:25 EST 
This is not a bug.  It would be wasteful to clear the unused memory, and a
kernel ABI compatibility bug if it ever mattered to do so.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.