This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug librt/20489] New: timer_create in compatibility mode on a 64bit big-endian system is broken
- From: "ian.merin at thalesesec dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 Aug 2016 21:20:40 +0000
- Subject: [Bug librt/20489] New: timer_create in compatibility mode on a 64bit big-endian system is broken
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20489
Bug ID: 20489
Summary: timer_create in compatibility mode on a 64bit
big-endian system is broken
Product: glibc
Version: 2.19
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: librt
Assignee: unassigned at sourceware dot org
Reporter: ian.merin at thalesesec dot com
Target Milestone: ---
On a big-endian system running a 64 bit operating system (specifically ppc64
GNU/Linux 3.12.37)
In the case that the following is true
#if SHLIB_COMPAT (librt, GLIBC_2_2, GLIBC_2_3_3)
timer_create is redirected to
int __timer_create_old (clockid_t clock_id, struct sigevent *evp,
int *timerid)
however, the signature for timer_create is:
int timer_create(clockid_t clockid, struct sigevent *sevp,
timer_t *timerid);
On this system, timer_t is defined as a 64bit type, while int is defined as a
32 bit type.
Thus when the timerid is dereferenced and set to a specific index in the
timer_t __compat_timer_list[OLD_TIMER_MAX] attribute_hidden;
array, the least significant 32 bits are ignored, and the timer_t variable is
incorrectly assigned a very high index.
e.g.
If the timer index returned is one, the memory for timerid will look like
0x0000000100000000, instead of 0x1
Of course this causes access of invalid memory, and the calling program
segfaults.
--
You are receiving this mail because:
You are on the CC list for the bug.