public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/28257] New: SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime
@ 2021-08-23 3:24 michael.hudson at canonical dot com
2021-08-23 3:25 ` [Bug libc/28257] " michael.hudson at canonical dot com
2021-08-23 10:54 ` fweimer at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: michael.hudson at canonical dot com @ 2021-08-23 3:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28257
Bug ID: 28257
Summary: SIGSEGV instead of EINVAL with invalid timer id in
timer_delete/timer_gettime/timer_settime
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: michael.hudson at canonical dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Forwarding from https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1940296:
The timer_delete(2) man page states:
RETURN VALUE
On success, timer_delete() returns 0. On failure, -1 is returned,
and errno is set to indicate the error.
ERRORS
EINVAL timerid is not a valid timer ID.
The following shows that this is not strictly true:
$ cat t.c
#include <time.h>
#include <stdlib.h>
int main(void)
{
timer_t t = (timer_t)0xe236f38802c65008ULL;
return timer_delete(t);
}
$ gcc t.c -lrt -g
./a.out
Segmentation fault (core dumped)
$ valgrind ./a.out
==30195== Memcheck, a memory error detector
==30195== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30195== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==30195== Command: ./a.out
==30195==
==30195== Invalid read of size 4
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195== Address 0xc46de710058ca010 is not stack'd, malloc'd or (recently)
free'd
==30195==
==30195==
==30195== Process terminating with default action of signal 11 (SIGSEGV)
==30195== General Protection Fault
==30195== at 0x487FBF7: timerid_to_kernel_timer (kernel-posix-timers.h:94)
==30195== by 0x487FBF7: timer_delete@@GLIBC_2.3.3 (timer_delete.c:35)
==30195== by 0x10916E: main (t.c:8)
==30195==
==30195== HEAP SUMMARY:
==30195== in use at exit: 0 bytes in 0 blocks
==30195== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==30195==
==30195== All heap blocks were freed -- no leaks are possible
==30195==
==30195== For lists of detected and suppressed errors, rerun with: -s
==30195== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
Similar things happen with timer_gettime and timer_settime.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/28257] SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime
2021-08-23 3:24 [Bug libc/28257] New: SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime michael.hudson at canonical dot com
@ 2021-08-23 3:25 ` michael.hudson at canonical dot com
2021-08-23 10:54 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: michael.hudson at canonical dot com @ 2021-08-23 3:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28257
Michael Hudson-Doyle <michael.hudson at canonical dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michael.hudson at canonical dot co
| |m
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/28257] SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime
2021-08-23 3:24 [Bug libc/28257] New: SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime michael.hudson at canonical dot com
2021-08-23 3:25 ` [Bug libc/28257] " michael.hudson at canonical dot com
@ 2021-08-23 10:54 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: fweimer at redhat dot com @ 2021-08-23 10:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28257
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |fweimer at redhat dot com
Resolution|--- |MOVED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Please report this to the man-pages project if the manual page is unclear.
POSIX clearly describes what the program is doing as undefined behavior:
“
The behavior is undefined if the value specified by the timerid argument to
timer_delete() does not correspond to a timer ID returned by timer_create() but
not yet deleted by timer_delete().
”
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-23 10:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-23 3:24 [Bug libc/28257] New: SIGSEGV instead of EINVAL with invalid timer id in timer_delete/timer_gettime/timer_settime michael.hudson at canonical dot com
2021-08-23 3:25 ` [Bug libc/28257] " michael.hudson at canonical dot com
2021-08-23 10:54 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).