kernel crash, struct ptimer and callouts

To: tech-kern%netbsd.org@localhost
Subject: kernel crash, struct ptimer and callouts
From: Alexander Shishkin <alexander.shishkin%teleca.com@localhost>
Date: Mon, 7 Jul 2008 15:20:34 +0300

Hi,

Been wondering recently as to why struct ptimer has a union of callout_t
and other data fields, namely pt_active and pt_list, given that at least
timer_create1() dosetitimer() explicitly initialize both pt_ch and
pt_active. This will lead to a kernel crash whenever a CLOCK_REALTIME
timer (which has been created and set) is deleted with sys_timer_delete(),
because timer_settime() will set callout's c_func to realtimerexpire()
(which will effectively clobber pt_active) and sys_timer_delete() will
decide to go through pt_list (which is in reality a chain of callouts),
which in turn will set the system on fire. This pattern [1] is tested and
valid for i386, other architectures might fail differently depending on
the alignment and type sizes.

IOW, current netbsd kernel is vulnerable to at local dos attack, which
sort of, bad. Proposed patch [2] is also appended.

[1]: http://koowaldah.org/people/ash/netbsd/pttest.c
[2]: http://koowaldah.org/people/ash/netbsd/ptimer-fix.diff

diff --git a/sys/sys/timevar.h b/sys/sys/timevar.h
index 90a9718..5d229a9 100644
--- a/sys/sys/timevar.h
+++ b/sys/sys/timevar.h
@@ -69,7 +69,7 @@
  * Structure used to manage timers in a process.
  */
 struct         ptimer {
-       union {
+       struct {
                callout_t       pt_ch;
                struct {
                        LIST_ENTRY(ptimer)      pt_list;

Follow-Ups:
- Re: kernel crash, struct ptimer and callouts
  - From: Christos Zoulas

Prev by Date: Re: NetBSD 2.1.1: panic during cvs update
Next by Date: Re: NetBSD 2.1.1: panic during cvs update
Previous by Thread: NetBSD 2.1.1: panic during cvs update
Next by Thread: Re: kernel crash, struct ptimer and callouts
Indexes:

Home | Main Index | Thread Index | Old Index