On Mon, 11 Dec 2017, Eric Biggers wrote:
> On Sat, Dec 02, 2017 at 09:10:01PM -0800, syzbot wrote:
> > ---[ end trace 3570c98033660e3f ]---
>
> The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
> any value, but show_timer() assumes that it has one of a specific set of values.
> Here's a simplified reproducer:
>
> #include <fcntl.h>
> #include <signal.h>
> #include <time.h>
> #include <unistd.h>
>
> int main()
> {
> struct sigevent e = {
> .sigev_signo = 0x1c,
> .sigev_notify = 0x100000,
> };
> timer_t t;
> int fd;
> char buf[64];
>
> timer_create(CLOCK_MONOTONIC, &e, &t);
>
> fd = open("/proc/self/timers", O_RDONLY);
>
> read(fd, buf, sizeof(buf));
> }
>
> I wonder if anything would break if we made sys_timer_create() return -EINVAL
> for unrecognized values of sigev_notify? That's what it *should* do, but it
> seems to be the classic "unchecked flags" bug, yet again...
So this is the 5th time this comes up and I sent a patch the first time. No
answer since than just more repeating reports.
https://marc.info/?l=linux-kernel&m=151204669103208&w=2
Thanks,
tglx
