Re: general protection fault in show_timer

From: Thomas Gleixner
Date: Thu Nov 30 2017 - 07:58:10 EST

Next message: Dmitry Vyukov: "Re: general protection fault in show_timer"
Previous message: Philippe Ombredanne: "Re: [PATCH v2] clk: stm32-h7: fix copyright"
In reply to: Alexey Dobriyan: "Re: general protection fault in show_timer"
Next in thread: Dmitry Vyukov: "Re: general protection fault in show_timer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 30 Nov 2017, Alexey Dobriyan wrote:

> [cc security@]
> 100% oops with interrupts disabled by nobody
> or kernel memory read
> [nods]
> you named the bug already
>
> "notify" directly comes from userspace struct sigevent::sigev_notify
> without adult supervision.
>
> Reproducer is timer_create + read(/proc/self/timers)

Bah. That's a really old one.

Tentative fix below. That needs more though but looking at the existing
check there is only one valid combo with SIGEV_THREAD_ID.

Thanks,

tglx

8<----------------
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -434,6 +434,16 @@ static struct pid *good_sigevent(sigeven
{
struct task_struct *rtn = current->group_leader;

+ switch (event->sigev_notify) {
+ case SIGEV_NONE:
+ case SIGEV_SIGNAL:
+ case SIGEV_SIGNAL | SIGEV_THREAD_ID:
+ case SIGEV_THREAD:
+ break;
+ default:
+ return NULL;
+ }
+
if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
(!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
!same_thread_group(rtn, current) ||

Next message: Dmitry Vyukov: "Re: general protection fault in show_timer"
Previous message: Philippe Ombredanne: "Re: [PATCH v2] clk: stm32-h7: fix copyright"
In reply to: Alexey Dobriyan: "Re: general protection fault in show_timer"
Next in thread: Dmitry Vyukov: "Re: general protection fault in show_timer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]