Commit c68f9a4d authored by Roland McGrath's avatar Roland McGrath Committed by Linus Torvalds

[PATCH] fix posix-timers leak

Exec fails to clean up posix-timers.  This manifests itself in two ways, one
worse than the other.  In the single-threaded case, it just fails to clear out
the timers on exec.  POSIX says that exec clears out the timers from
timer_create (though not the setitimer ones), so it's wrong that a lingering
timer could fire after exec and kill the process with a signal it's not
expecting.  In the multi-threaded case, it not only leaves lingering timers,
but it leaks them entirely when it replaces signal_struct, so they will never
be freed by the process exiting after that exec.  The new per-user
RLIMIT_SIGPENDING actually limits the damage here, because a UID will fill up
its quota with leaked timers and then never be able to use timer_create again
(that's what my test program does).  But if you have many many untrusted UIDs,
this leak could be considered a DoS risk.
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 5daa8679
...@@ -741,8 +741,10 @@ static inline int de_thread(struct task_struct *tsk) ...@@ -741,8 +741,10 @@ static inline int de_thread(struct task_struct *tsk)
spin_unlock(&oldsighand->siglock); spin_unlock(&oldsighand->siglock);
write_unlock_irq(&tasklist_lock); write_unlock_irq(&tasklist_lock);
if (newsig && atomic_dec_and_test(&oldsig->count)) if (newsig && atomic_dec_and_test(&oldsig->count)) {
exit_itimers(oldsig);
kmem_cache_free(signal_cachep, oldsig); kmem_cache_free(signal_cachep, oldsig);
}
if (atomic_dec_and_test(&oldsighand->count)) if (atomic_dec_and_test(&oldsighand->count))
kmem_cache_free(sighand_cachep, oldsighand); kmem_cache_free(sighand_cachep, oldsighand);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment