• Thomas Gleixner's avatar
    posix-timer: Properly check sigevent->sigev_notify · cef31d9a
    Thomas Gleixner authored
    timer_create() specifies via sigevent->sigev_notify the signal delivery for
    the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
    and (SIGEV_SIGNAL | SIGEV_THREAD_ID).
    
    The sanity check in good_sigevent() is only checking the valid combination
    for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
    not set it accepts any random value.
    
    This has no real effects on the posix timer and signal delivery code, but
    it affects show_timer() which handles the output of /proc/$PID/timers. That
    function uses a string array to pretty print sigev_notify. The access to
    that array has no bound checks, so random sigev_notify cause access beyond
    the array bounds.
    
    Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
    masking from various code pathes as SIGEV_NONE can never be set in
    combination with SIGEV_THREAD_ID.
    Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Reported-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: John Stultz <john.stultz@linaro.org>
    Cc: stable@vger.kernel.org
    cef31d9a
posix-timers.c 35.5 KB