Description: pthread_attr_getaffinity_np may corrupt memory by writing beyond bounds of the input cpuset buffer if the given buffer is smaller than the buffer in the thread attributes. Reproducer: #include <pthread.h> #include <stdio.h> #include <sched.h> #include <errno.h> #define RETURN_IF_FAIL(f, ...) \ ({ \ int ret = f (__VA_ARGS__); \ if (ret != 0) \ { \ printf ("%s:%d: %s returned %d (errno = %d)\n", __FILE__, __LINE__, \ #f, ret, errno); \ return ret; \ } \ }) int main (void) { for (int i = 0; i < 10; i++) { pthread_attr_t attr; cpu_set_t *cpuset = CPU_ALLOC (512); size_t cpusetsize = CPU_ALLOC_SIZE (512); CPU_ZERO_S (cpusetsize, cpuset); RETURN_IF_FAIL (pthread_attr_init, &attr); RETURN_IF_FAIL (pthread_attr_setaffinity_np, &attr, cpusetsize, cpuset); CPU_FREE (cpuset); cpuset = CPU_ALLOC (1); cpusetsize = CPU_ALLOC_SIZE (1); RETURN_IF_FAIL (pthread_attr_getaffinity_np, &attr, cpusetsize, cpuset); CPU_FREE (cpuset); } return 0; }
Fixed in master: commit 5865a56bf4e31c5a152e46454367a99c5971ac02 Author: Siddhesh Poyarekar <siddhesh@redhat.com> Date: Fri Jun 14 01:20:06 2013 +0530 Avoid access beyond memory bounds in pthread_attr_getaffinity_np Resolves BZ #15618. pthread_attr_getaffinity_np may write beyond bounds of the input cpuset buffer if the size of the input buffer is smaller than the buffer present in the input pthread attributes. Fix is to copy to the extent of the minimum of the source and the destination.