[PATCH 3.18 14/45] posix-timer: Properly check sigevent->sigev_notify

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Biggers <ebiggers3@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	John Stultz <john.stultz@linaro.org>
Subject: [PATCH 3.18 14/45] posix-timer: Properly check sigevent->sigev_notify
Date: Thu, 15 Feb 2018 16:17:05 +0100	[thread overview]
Message-ID: <20180215144118.882107122@linuxfoundation.org> (raw)
In-Reply-To: <20180215144115.863307741@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit cef31d9af908243421258f1df35a4a644604efbe upstream.

timer_create() specifies via sigevent->sigev_notify the signal delivery for
the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
and (SIGEV_SIGNAL | SIGEV_THREAD_ID).

The sanity check in good_sigevent() is only checking the valid combination
for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
not set it accepts any random value.

This has no real effects on the posix timer and signal delivery code, but
it affects show_timer() which handles the output of /proc/$PID/timers. That
function uses a string array to pretty print sigev_notify. The access to
that array has no bound checks, so random sigev_notify cause access beyond
the array bounds.

Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
masking from various code pathes as SIGEV_NONE can never be set in
combination with SIGEV_THREAD_ID.

Reported-by: Eric Biggers <ebiggers3@gmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/time/posix-timers.c |   34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -500,17 +500,22 @@ static struct pid *good_sigevent(sigeven
 {
 	struct task_struct *rtn = current->group_leader;
 
-	if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
-		(!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
-		 !same_thread_group(rtn, current) ||
-		 (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
+	switch (event->sigev_notify) {
+	case SIGEV_SIGNAL | SIGEV_THREAD_ID:
+		rtn = find_task_by_vpid(event->sigev_notify_thread_id);
+		if (!rtn || !same_thread_group(rtn, current))
+			return NULL;
+		/* FALLTHRU */
+	case SIGEV_SIGNAL:
+	case SIGEV_THREAD:
+		if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
+			return NULL;
+		/* FALLTHRU */
+	case SIGEV_NONE:
+		return task_pid(rtn);
+	default:
 		return NULL;
-
-	if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
-	    ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
-		return NULL;
-
-	return task_pid(rtn);
+	}
 }
 
 void posix_timers_register_clock(const clockid_t clock_id,
@@ -738,8 +743,7 @@ common_timer_get(struct k_itimer *timr,
 	/* interval timer ? */
 	if (iv.tv64)
 		cur_setting->it_interval = ktime_to_timespec(iv);
-	else if (!hrtimer_active(timer) &&
-		 (timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
+	else if (!hrtimer_active(timer) && timr->it_sigev_notify != SIGEV_NONE)
 		return;
 
 	now = timer->base->get_time();
@@ -750,7 +754,7 @@ common_timer_get(struct k_itimer *timr,
 	 * expiry is > now.
 	 */
 	if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
-	    (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE))
+			timr->it_sigev_notify == SIGEV_NONE))
 		timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
 
 	remaining = ktime_sub(hrtimer_get_expires(timer), now);
@@ -760,7 +764,7 @@ common_timer_get(struct k_itimer *timr,
 		 * A single shot SIGEV_NONE timer must return 0, when
 		 * it is expired !
 		 */
-		if ((timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
+		if (timr->it_sigev_notify != SIGEV_NONE)
 			cur_setting->it_value.tv_nsec = 1;
 	} else
 		cur_setting->it_value = ktime_to_timespec(remaining);
@@ -858,7 +862,7 @@ common_timer_set(struct k_itimer *timr,
 	timr->it.real.interval = timespec_to_ktime(new_setting->it_interval);
 
 	/* SIGEV_NONE timers are not queued ! See common_timer_get */
-	if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
+	if (timr->it_sigev_notify == SIGEV_NONE) {
 		/* Setup correct expiry time for relative timers */
 		if (mode == HRTIMER_MODE_REL) {
 			hrtimer_add_expires(timer, timer->base->get_time());

next prev parent reply	other threads:[~2018-02-15 15:17 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-15 15:16 [PATCH 3.18 00/45] 3.18.95-stable review Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 01/45] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 02/45] ip6mr: fix stale iterator Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 03/45] net: igmp: add a missing rcu locking section Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 04/45] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 05/45] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 06/45] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 07/45] ARM: exynos_defconfig: Enable options to mount a rootfs via NFS Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 08/45] ARM: exynos_defconfig: Enable NFSv4 client Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 09/45] KEYS: encrypted: fix buffer overread in valid_master_desc() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 10/45] ipv4: Map neigh lookup keys in __ipv4_neigh_lookup_noref() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 11/45] cifs: Fix missing put_xid in cifs_file_strict_mmap Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 12/45] cifs: Fix autonegotiate security settings mismatch Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 13/45] CIFS: zero sensitive data when freeing Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman [this message]
2018-02-15 15:17 ` [PATCH 3.18 15/45] usbip: fix stub_rx: get_pipe() to validate endpoint number Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 16/45] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 17/45] usbip: prevent vhci_hcd driver from leaking a socket pointer address Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 18/45] usbip: Fix potential format overflow in userspace tools Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 19/45] usb: usbip: Fix possible deadlocks reported by lockdep Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 20/45] usbip: vhci-hcd: Add USB3 SuperSpeed support Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 21/45] usbip: prevent leaking socket pointer address in messages Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 22/45] usbip: stub: stop printing kernel pointer addresses " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 23/45] usbip: vhci: " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 24/45] dccp: CVE-2017-8824: use-after-free in DCCP code Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 25/45] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 26/45] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 27/45] mtd: nand: Fix nand_do_read_oob() return value Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 28/45] NFS: Add a cond_resched() to nfs_commit_release_pages() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 29/45] NFS: commit direct writes even if they fail partially Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 30/45] kernfs: fix regression in kernfs_fop_write caused by wrong type Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 31/45] crypto: hash - introduce crypto_hash_alg_has_setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 32/45] crypto: cryptd - pass through absence of ->setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 33/45] crypto: caam - fix endless loop when DECO acquire fails Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 34/45] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 35/45] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 36/45] kernel/async.c: revert "async: simplify lowest_in_progress()" Greg Kroah-Hartman
2018-02-15 15:17 ` [OpenRISC] [PATCH 3.18 37/45] signal/openrisc: Fix do_unaligned_access to send the proper signal Greg Kroah-Hartman
2018-02-15 15:17   ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 38/45] signal/sh: Ensure si_signo is initialized in do_divide_error Greg Kroah-Hartman
2018-02-15 15:17   ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 39/45] alpha: fix crash if pthread_create races with signal delivery Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 40/45] alpha: fix reboot on Avanti platform Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 41/45] xtensa: fix futex_atomic_cmpxchg_inatomic Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 42/45] EDAC, octeon: Fix an uninitialized variable warning Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 43/45] pktcdvd: Fix pkt_setup_dev() error path Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 44/45] ACPI: sbshc: remove raw pointer from printk() message Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 45/45] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Greg Kroah-Hartman
2018-02-15 15:35 ` [PATCH 3.18 00/45] 3.18.95-stable review Harsh Shandilya
2018-02-15 16:44   ` Greg Kroah-Hartman
2018-02-15 16:44     ` Greg Kroah-Hartman
2018-02-15 19:16 ` kernelci.org bot
2018-02-16 20:07   ` Kevin Hilman
2018-02-16 20:12     ` Greg Kroah-Hartman
2018-02-15 22:01 ` Shuah Khan
2018-02-16 14:11 ` Guenter Roeck
2018-02-16 19:13   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180215144118.882107122@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=adobriyan@gmail.com \
    --cc=dvyukov@google.com \
    --cc=ebiggers3@gmail.com \
    --cc=john.stultz@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.