[Bug 1940296] [NEW] SIGSEGV instead of EINVAL with invalid timer id in timer_delete() glibc 2.33
Colin Ian King
1940296 at bugs.launchpad.net
Tue Aug 17 13:31:08 UTC 2021
Public bug reported:
The timer_delete(2) man page states:
RETURN VALUE
On success, timer_delete() returns 0. On failure, -1 is returned,
and errno is set to indicate the error.
ERRORS
EINVAL timerid is not a valid timer ID.
The following shows that this is not strictly true:
$ cat t.c
#include <time.h>
#include <stdlib.h>
int main(void)
{
timer_t t = (timer_t)0xe236f38802c65008ULL;
return timer_delete(t);
}
$ gcc t.c -lrt -g
./a.out
Segmentation fault (core dumped)
$ valgrind ./a.out
==30195== Memcheck, a memory error detector
==30195== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30195== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==30195== Command: ./a.out
==30195==
==30195== Invalid read of size 4
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195== Address 0xc46de710058ca010 is not stack'd, malloc'd or (recently) free'd
==30195==
==30195==
==30195== Process terminating with default action of signal 11 (SIGSEGV)
==30195== General Protection Fault
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195==
==30195== HEAP SUMMARY:
==30195== in use at exit: 0 bytes in 0 blocks
==30195== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==30195==
==30195== All heap blocks were freed -- no leaks are possible
==30195==
==30195== For lists of detected and suppressed errors, rerun with: -s
==30195== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
** Affects: glibc (Ubuntu)
Importance: High
Status: New
** Changed in: glibc (Ubuntu)
Importance: Undecided => High
** Description changed:
The timer_delete(2) man page states:
EINVAL timerid is not a valid timer ID.
The following shows that this is not strictly true:
$ cat t.c
#include <time.h>
#include <stdlib.h>
int main(void)
{
- void *ptr = (void *)0xe236f38802c65008ULL;
-
- return timer_delete((timer_t)ptr);
+ timer_t t = (timer_t)0xe236f38802c65008ULL;
+
+ return timer_delete(t);
}
- gcc t.c -lrt -g
+ $ gcc t.c -lrt -g
./a.out
Segmentation fault (core dumped)
- valgrind ./a.out
+ $ valgrind ./a.out
==30195== Memcheck, a memory error detector
==30195== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30195== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==30195== Command: ./a.out
- ==30195==
+ ==30195==
==30195== Invalid read of size 4
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195== Address 0xc46de710058ca010 is not stack'd, malloc'd or (recently) free'd
- ==30195==
- ==30195==
+ ==30195==
+ ==30195==
==30195== Process terminating with default action of signal 11 (SIGSEGV)
==30195== General Protection Fault
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
- ==30195==
+ ==30195==
==30195== HEAP SUMMARY:
==30195== in use at exit: 0 bytes in 0 blocks
==30195== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
- ==30195==
+ ==30195==
==30195== All heap blocks were freed -- no leaks are possible
- ==30195==
+ ==30195==
==30195== For lists of detected and suppressed errors, rerun with: -s
==30195== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
** Description changed:
The timer_delete(2) man page states:
- EINVAL timerid is not a valid timer ID.
+ RETURN VALUE
+ On success, timer_delete() returns 0. On failure, -1 is returned,
+ and errno is set to indicate the error.
+
+ ERRORS
+ EINVAL timerid is not a valid timer ID.
+
The following shows that this is not strictly true:
$ cat t.c
#include <time.h>
#include <stdlib.h>
int main(void)
{
- timer_t t = (timer_t)0xe236f38802c65008ULL;
+ timer_t t = (timer_t)0xe236f38802c65008ULL;
- return timer_delete(t);
+ return timer_delete(t);
}
$ gcc t.c -lrt -g
./a.out
Segmentation fault (core dumped)
$ valgrind ./a.out
==30195== Memcheck, a memory error detector
==30195== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30195== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==30195== Command: ./a.out
==30195==
==30195== Invalid read of size 4
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195== Address 0xc46de710058ca010 is not stack'd, malloc'd or (recently) free'd
==30195==
==30195==
==30195== Process terminating with default action of signal 11 (SIGSEGV)
==30195== General Protection Fault
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195==
==30195== HEAP SUMMARY:
==30195== in use at exit: 0 bytes in 0 blocks
==30195== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==30195==
==30195== All heap blocks were freed -- no leaks are possible
==30195==
==30195== For lists of detected and suppressed errors, rerun with: -s
==30195== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1940296
Title:
SIGSEGV instead of EINVAL with invalid timer id in timer_delete()
glibc 2.33
Status in glibc package in Ubuntu:
New
Bug description:
The timer_delete(2) man page states:
RETURN VALUE
On success, timer_delete() returns 0. On failure, -1 is returned,
and errno is set to indicate the error.
ERRORS
EINVAL timerid is not a valid timer ID.
The following shows that this is not strictly true:
$ cat t.c
#include <time.h>
#include <stdlib.h>
int main(void)
{
timer_t t = (timer_t)0xe236f38802c65008ULL;
return timer_delete(t);
}
$ gcc t.c -lrt -g
./a.out
Segmentation fault (core dumped)
$ valgrind ./a.out
==30195== Memcheck, a memory error detector
==30195== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30195== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==30195== Command: ./a.out
==30195==
==30195== Invalid read of size 4
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195== Address 0xc46de710058ca010 is not stack'd, malloc'd or (recently) free'd
==30195==
==30195==
==30195== Process terminating with default action of signal 11 (SIGSEGV)
==30195== General Protection Fault
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195==
==30195== HEAP SUMMARY:
==30195== in use at exit: 0 bytes in 0 blocks
==30195== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==30195==
==30195== All heap blocks were freed -- no leaks are possible
==30195==
==30195== For lists of detected and suppressed errors, rerun with: -s
==30195== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1940296/+subscriptions
More information about the foundations-bugs
mailing list