oss-sec mailing list archives
CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL pointer dereference
From: Eugene Teo <eugene () redhat com>
Date: Thu, 06 Aug 2009 13:39:05 +0800
Calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW can cause a NULL pointer dereference. Appears to be introduced after commit 2d42244a (v2.6.28-rc1). Upstream commit: http://git.kernel.org/linus/70d715fd0597f18528f389b5ac59102263067744 Reproducer/backtrace: http://lkml.org/lkml/2009/8/4/28 clock_nanosleep -> CLOCK_DISPATCH -> common_nsleep(arglist) -> hrtimer_nanosleep return hrtimer_nanosleep(tsave /* &ts */, rmtp /* NULL */, flags & TIMER_ABSTIME /* turns out false */ ? HRTIMER_MODE_ABS : HRTIMER_MODE_REL, which_clock); -> do_nanosleep -> hrtimer_start_expires -> hrtimer_start_range_ns -> __hrtimer_start_range_ns -> lock_hrtimer_base -> ... References: http://lkml.org/lkml/2009/8/2/331 http://lkml.org/lkml/2009/8/4/40 https://bugzilla.redhat.com/show_bug.cgi?id=515867 Thanks, Eugene
Current thread:
- CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL pointer dereference Eugene Teo (Aug 05)
- Re: CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL pointer dereference Steven M. Christey (Aug 18)