tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kernel crash, struct ptimer and callouts


Been wondering recently as to why struct ptimer has a union of callout_t
and other data fields, namely pt_active and pt_list, given that at least
timer_create1() dosetitimer() explicitly initialize both pt_ch and
pt_active. This will lead to a kernel crash whenever a CLOCK_REALTIME
timer (which has been created and set) is deleted with sys_timer_delete(),
because timer_settime() will set callout's c_func to realtimerexpire()
(which will effectively clobber pt_active) and sys_timer_delete() will
decide to go through pt_list (which is in reality a chain of callouts),
which in turn will set the system on fire. This pattern [1] is tested and
valid for i386, other architectures might fail differently depending on
the alignment and type sizes.

IOW, current netbsd kernel is vulnerable to at local dos attack, which
sort of, bad. Proposed patch [2] is also appended.


diff --git a/sys/sys/timevar.h b/sys/sys/timevar.h
index 90a9718..5d229a9 100644
--- a/sys/sys/timevar.h
+++ b/sys/sys/timevar.h
@@ -69,7 +69,7 @@
  * Structure used to manage timers in a process.
 struct         ptimer {
-       union {
+       struct {
                callout_t       pt_ch;
                struct {
                        LIST_ENTRY(ptimer)      pt_list;

Home | Main Index | Thread Index | Old Index