oss-security - CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Thu, 06 Aug 2009 13:39:05 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: clock_nanosleep() with CLOCK_MONOTONIC_RAW NULL
 pointer dereference

Calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW can cause a NULL
pointer dereference. Appears to be introduced after commit 2d42244a
(v2.6.28-rc1).

Upstream commit:
http://git.kernel.org/linus/70d715fd0597f18528f389b5ac59102263067744

Reproducer/backtrace:
http://lkml.org/lkml/2009/8/4/28

clock_nanosleep ->
CLOCK_DISPATCH ->
common_nsleep(arglist) ->
hrtimer_nanosleep
      return hrtimer_nanosleep(tsave /* &ts */, rmtp /* NULL */,
                 flags & TIMER_ABSTIME /* turns out false */ ?
                 HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
                 which_clock); ->
do_nanosleep ->
hrtimer_start_expires ->
hrtimer_start_range_ns ->
__hrtimer_start_range_ns ->
lock_hrtimer_base ->
...

References:
http://lkml.org/lkml/2009/8/2/331
http://lkml.org/lkml/2009/8/4/40
https://bugzilla.redhat.com/show_bug.cgi?id=515867

Thanks, Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.