oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL pointer dereference

From: Eugene Teo <eugene () redhat com>
Date: Thu, 06 Aug 2009 13:39:05 +0800
Calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW can cause a NULL
pointer dereference. Appears to be introduced after commit 2d42244a
(v2.6.28-rc1).

Upstream commit:
http://git.kernel.org/linus/70d715fd0597f18528f389b5ac59102263067744

Reproducer/backtrace:
http://lkml.org/lkml/2009/8/4/28

clock_nanosleep ->
CLOCK_DISPATCH ->
common_nsleep(arglist) ->
hrtimer_nanosleep
      return hrtimer_nanosleep(tsave /* &ts */, rmtp /* NULL */,
                 flags & TIMER_ABSTIME /* turns out false */ ?
                 HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
                 which_clock); ->
do_nanosleep ->
hrtimer_start_expires ->
hrtimer_start_range_ns ->
__hrtimer_start_range_ns ->
lock_hrtimer_base ->
...

References:
http://lkml.org/lkml/2009/8/2/331
http://lkml.org/lkml/2009/8/4/40
https://bugzilla.redhat.com/show_bug.cgi?id=515867

Thanks, Eugene
Previous By Date Next
Previous By Thread Next

Current thread: