Bug 141137 – sys_timer_create gets uninitialized struct sigevent via timer_create

Bug 141137 - sys_timer_create gets uninitialized struct sigevent via timer_create

Summary:	sys_timer_create gets uninitialized struct sigevent via timer_create

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	glibc (Show other bugs)
Sub Component:
Version:	3
Hardware:	i686 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2004-11-29 11:20 EST by John Reiser
Modified:	2007-11-30 17:10 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-11-30 17:18:25 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description John Reiser 2004-11-29 11:20:39 EST

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The Linux kernel system call "sys_timer_create" for creating a POSIX
timer reads a user struct sigevent of 64 bytes, but the glibc
timer_create() routine sometimes supplies initialized values only in
the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving
the trailing bytes of the struct uninitialized.  In theory the
.sigev_notify member will be used to control if/when the kernel pays
attention to the remaining bytes, but passing uninitialized values
from the user to the kernel is an unsafe programming practice that may
inhibit future forward+backward compatibility, and does "leak" random
values today.

The entire struct sigevent can be initialized inexpensively by a call
to memset:
-----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()]
      struct timer_node *timer = timer_links2ptr (node);
      list_unlink_ip (node);
      memset(&timer->event, 0, sizeof(timer->event));     /* Safety */
      timer->inuse = TIMER_INUSE;
-----

Version-Release number of selected component (if applicable):
glibc-2.3.3-74

How reproducible:
Always

Steps to Reproduce:
1. Run testcase rt/tst-timer and look at the second system call to
sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where:
   if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
where the sigevent that the kernel sees belongs internally to glibc,
and was allocated by __timer_alloc().
2.
3.
    

Actual Results:  Trailing 48 bytes of struct sigevent are
uninitialized at system call to sys_timer_create (on a 32-bit system.)

Expected Results:  The kernel reads no [logically] uninitialized values.

Additional info:  The first system call from rt/tst-timer to
sys_timer_create also has uninitialized bytes in sigev1, but these are
the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed
directly to the kernel.  The second system call uses a another struct
sigevent that is allocated internally by glibc (and not the sigev2
that is passed to the nptl-level timer_create), and this bug is
complaining about the uninit trailing bytes in this internal struct
sigevent obtained from __timer_alloc().

Comment 2 Roland McGrath 2004-11-30 17:18:25 EST

This is not a bug.  It would be wasteful to clear the unused memory, and a
kernel ABI compatibility bug if it ever mattered to do so.

Note You need to log in before you can comment on or make changes to this bug.