From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-f48.google.com ([209.85.214.48]:41085 "EHLO mail-it0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751123AbdLKXLc (ORCPT ); Mon, 11 Dec 2017 18:11:32 -0500 Date: Mon, 11 Dec 2017 15:11:28 -0800 From: Eric Biggers To: syzbot Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, tglx@linutronix.de Subject: Re: general protection fault in string Message-ID: <20171211231128.GB48753@gmail.com> References: <001a1143e6ccdb8581055f499952@google.com> <001a1143fb3e24a4e4055f689d15@google.com> <20171211230305.GA48753@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171211230305.GA48753@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Mon, Dec 11, 2017 at 03:03:05PM -0800, Eric Biggers wrote: > > The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost > any value, but show_timer() assumes that it has one of a specific set of values. > Here's a simplified reproducer: > > #include > #include > #include > #include > > int main() > { > struct sigevent e = { > .sigev_signo = 0x1c, > .sigev_notify = 0x100000, > }; > timer_t t; > int fd; > char buf[64]; > > timer_create(CLOCK_MONOTONIC, &e, &t); > > fd = open("/proc/self/timers", O_RDONLY); > > read(fd, buf, sizeof(buf)); > } > > I wonder if anything would break if we made sys_timer_create() return -EINVAL > for unrecognized values of sigev_notify? That's what it *should* do, but it > seems to be the classic "unchecked flags" bug, yet again... > Ah, I see that this was previously reported and a fix was already sent out (https://marc.info/?l=linux-kernel&m=151204669103208&w=2). Let's mark this report as a duplicate: #syz dup: general protection fault in show_timer