From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: The Linux kernel system call "sys_timer_create" for creating a POSIX timer reads a user struct sigevent of 64 bytes, but the glibc timer_create() routine sometimes supplies initialized values only in the beginning 16 or 20 bytes (32 bytes on a 64-bit system), leaving the trailing bytes of the struct uninitialized. In theory the .sigev_notify member will be used to control if/when the kernel pays attention to the remaining bytes, but passing uninitialized values from the user to the kernel is an unsafe programming practice that may inhibit future forward+backward compatibility, and does "leak" random values today. The entire struct sigevent can be initialized inexpensively by a call to memset: -----nptl/sysdeps/pthread/timer_routines.c:568 [__timer_alloc()] struct timer_node *timer = timer_links2ptr (node); list_unlink_ip (node); memset(&timer->event, 0, sizeof(timer->event)); /* Safety */ timer->inuse = TIMER_INUSE; ----- Version-Release number of selected component (if applicable): glibc-2.3.3-74 How reproducible: Always Steps to Reproduce: 1. Run testcase rt/tst-timer and look at the second system call to sys_timer_create, the one from nptl/sysdeps/pthread/tst-timer.c where: if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0) where the sigevent that the kernel sees belongs internally to glibc, and was allocated by __timer_alloc(). 2. 3. Actual Results: Trailing 48 bytes of struct sigevent are uninitialized at system call to sys_timer_create (on a 32-bit system.) Expected Results: The kernel reads no [logically] uninitialized values. Additional info: The first system call from rt/tst-timer to sys_timer_create also has uninitialized bytes in sigev1, but these are the fault of nptl/sysdeps/pthread/tst-timer.c because sigev1 is passed directly to the kernel. The second system call uses a another struct sigevent that is allocated internally by glibc (and not the sigev2 that is passed to the nptl-level timer_create), and this bug is complaining about the uninit trailing bytes in this internal struct sigevent obtained from __timer_alloc().
This is not a bug. It would be wasteful to clear the unused memory, and a kernel ABI compatibility bug if it ever mattered to do so.