Bug 15618

Summary: Possible access beyond memory bounds in pthread_attr_getaffinity
Product: glibc Reporter: Siddhesh Poyarekar <siddhesh>
Component: nptlAssignee: Siddhesh Poyarekar <siddhesh>
Status: RESOLVED FIXED    
Severity: normal CC: drepper.fsp, fweimer
Priority: P2 Flags: fweimer: security+
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Siddhesh Poyarekar 2013-06-13 18:54:13 UTC
Description:

pthread_attr_getaffinity_np may corrupt memory by writing beyond bounds of the input cpuset buffer if the given buffer is smaller than the buffer in the thread attributes.

Reproducer:

#include <pthread.h>
#include <stdio.h>
#include <sched.h>
#include <errno.h>


#define RETURN_IF_FAIL(f, ...) \
  ({                                                                          \
    int ret = f (__VA_ARGS__);                                                \
    if (ret != 0)                                                             \
      {                                                                       \
        printf ("%s:%d: %s returned %d (errno = %d)\n", __FILE__, __LINE__,   \
                #f, ret, errno);                                              \
        return ret;                                                           \
      }                                                                       \
  })

int
main (void)
{
  for (int i = 0; i < 10; i++)
    {
      pthread_attr_t attr;
      cpu_set_t *cpuset = CPU_ALLOC (512);
      size_t cpusetsize = CPU_ALLOC_SIZE (512);
      CPU_ZERO_S (cpusetsize, cpuset);

      RETURN_IF_FAIL (pthread_attr_init, &attr);
      RETURN_IF_FAIL (pthread_attr_setaffinity_np, &attr, cpusetsize, cpuset);
      CPU_FREE (cpuset);

      cpuset = CPU_ALLOC (1);
      cpusetsize = CPU_ALLOC_SIZE (1);
      RETURN_IF_FAIL (pthread_attr_getaffinity_np, &attr, cpusetsize, cpuset);
      CPU_FREE (cpuset);
    }
  return 0;
}
Comment 1 Siddhesh Poyarekar 2013-06-13 19:50:18 UTC
Fixed in master:

commit 5865a56bf4e31c5a152e46454367a99c5971ac02
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Fri Jun 14 01:20:06 2013 +0530

    Avoid access beyond memory bounds in pthread_attr_getaffinity_np
    
    Resolves BZ #15618.
    
    pthread_attr_getaffinity_np may write beyond bounds of the input
    cpuset buffer if the size of the input buffer is smaller than the
    buffer present in the input pthread attributes.  Fix is to copy to the
    extent of the minimum of the source and the destination.