If a struct sigevent with SIGEV_SIGNAL is passed to timer_create(2),

check the signal number to be in the allowed range. An invalid signal number could crash the kernel by overflowing the sigset_t array. More checks would be good, and SIGEV_THREAD shouldn't be dropped silently, but this fixes at least the local DOS vulnerability.
2009-12-10 12:39:12 +00:00 · 2009-12-10 12:39:12 +00:00 · a1a04dd1be
parent fb022d0910
commit a1a04dd1be
1 changed files with 6 additions and 3 deletions
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_time.c,v 1.162 2009/10/03 20:48:42 elad Exp $	*/
+/*	$NetBSD: kern_time.c,v 1.163 2009/12/10 12:39:12 drochner Exp $	*/

 /*-
 * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@ -61,7 +61,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.162 2009/10/03 20:48:42 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.163 2009/12/10 12:39:12 drochner Exp $");

 #include <sys/param.h>
 #include <sys/resourcevar.h>
@ -531,7 +531,10 @@ timer_create1(timer_t *tid, clockid_t id, struct sigevent *evp,
 		if (((error =
 		    (*fetch_event)(evp, &pt->pt_ev, sizeof(pt->pt_ev))) != 0) ||
 		    ((pt->pt_ev.sigev_notify < SIGEV_NONE) ||
-			(pt->pt_ev.sigev_notify > SIGEV_SA))) {
+			(pt->pt_ev.sigev_notify > SIGEV_SA)) ||
+			(pt->pt_ev.sigev_notify == SIGEV_SIGNAL &&
+			 (pt->pt_ev.sigev_signo <= 0 ||
+			  pt->pt_ev.sigev_signo >= NSIG))) {
 			pool_put(&ptimer_pool, pt);
 			return (error ? error : EINVAL);
 		}