On Mon, Dec 11, 2017 at 03:03:05PM -0800, Eric Biggers wrote:
>
> The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
> any value, but show_timer() assumes that it has one of a specific set of values.
> Here's a simplified reproducer:
>
> #include <fcntl.h>
> #include <signal.h>
> #include <time.h>
> #include <unistd.h>
>
> int main()
> {
> struct sigevent e = {
> .sigev_signo = 0x1c,
> .sigev_notify = 0x100000,
> };
> timer_t t;
> int fd;
> char buf[64];
>
> timer_create(CLOCK_MONOTONIC, &e, &t);
>
> fd = open("/proc/self/timers", O_RDONLY);
>
> read(fd, buf, sizeof(buf));
> }
>
> I wonder if anything would break if we made sys_timer_create() return -EINVAL
> for unrecognized values of sigev_notify? That's what it *should* do, but it
> seems to be the classic "unchecked flags" bug, yet again...
>
Ah, I see that this was previously reported and a fix was already sent out
(https://marc.info/?l=linux-kernel&m=151204669103208&w=2). Let's mark this
report as a duplicate:
#syz dup: general protection fault in show_timer
