From 761cf903a732a69fa2856e60154a2c7e1d2923f3 Mon Sep 17 00:00:00 2001 From: y30015170 <1169998606@qq.com> Date: Thu, 29 May 2025 09:47:47 +0800 Subject: [PATCH 1/2] Description: kernel_liteos_a timer_delete RaceConditions Bug IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/ICC279 Feature Or Bugfix: Feature Binary Source: No Signed-off-by: y30015170 <1169998606@qq.com> --- compat/posix/src/time.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/compat/posix/src/time.c b/compat/posix/src/time.c index c7e6521f..eb5f0223 100644 --- a/compat/posix/src/time.c +++ b/compat/posix/src/time.c @@ -820,6 +820,7 @@ int timer_create(clockid_t clockID, struct sigevent *restrict evp, timer_t *rest int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) { + UINT32 intSave; UINT32 ret; UINT16 swtmrID; swtmr_proc_arg *arg = NULL; @@ -843,8 +844,10 @@ int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) return -1; } + LOS_SpinLockSave(&g_timeSpin, &intSave); arg = (swtmr_proc_arg *)malloc(sizeof(swtmr_proc_arg)); if (arg == NULL) { + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); errno = ENOMEM; return -1; } @@ -857,6 +860,7 @@ int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) if (ret != LOS_OK) { errno = (ret == LOS_ERRNO_SWTMR_MAXSIZE) ? EAGAIN : EINVAL; free(arg); + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); return -1; } @@ -865,17 +869,20 @@ int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) if (vid == MAX_INVALID_TIMER_VID) { free(arg); (VOID)LOS_SwtmrDelete(swtmrID); + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); return -1; } swtmrID = vid; #endif *timerID = (timer_t)(UINTPTR)swtmrID; + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); return 0; } int timer_delete(timer_t timerID) { UINT16 swtmrID = (UINT16)(UINTPTR)timerID; + UINT32 intSave; VOID *arg = NULL; UINTPTR swtmrProc; @@ -885,15 +892,17 @@ int timer_delete(timer_t timerID) if (OS_INT_ACTIVE || !ValidTimerID(swtmrID)) { goto ERROUT; } - + LOS_SpinLockSave(&g_timeSpin, &intSave); arg = (VOID *)OS_SWT_FROM_SID(swtmrID)->uwArg; swtmrProc = (UINTPTR)OS_SWT_FROM_SID(swtmrID)->pfnHandler; if (LOS_SwtmrDelete(swtmrID)) { + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); goto ERROUT; } if ((swtmrProc == (UINTPTR)SwtmrProc) && (arg != NULL)) { free(arg); } + LOS_SpinUnlockRestore(&g_timeSpin, &intSave); #ifdef LOSCFG_SECURITY_VID RemoveNodeByVid((UINT16)(UINTPTR)timerID); -- Gitee From 446aad464275d121dea2ee95fef020cd3917874a Mon Sep 17 00:00:00 2001 From: y30015170 <1169998606@qq.com> Date: Thu, 29 May 2025 10:44:37 +0800 Subject: [PATCH 2/2] Description: kernel_liteos_a timer_delete RaceConditions Bug IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/ICC279 Feature Or Bugfix: Feature Binary Source: No Signed-off-by: y30015170 <1169998606@qq.com> --- compat/posix/src/time.c | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/compat/posix/src/time.c b/compat/posix/src/time.c index eb5f0223..384b6b16 100644 --- a/compat/posix/src/time.c +++ b/compat/posix/src/time.c @@ -829,25 +829,20 @@ int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) UINT16 vid; #endif - if ((clockID != CLOCK_REALTIME) || (timerID == NULL)) { - errno = EINVAL; - return -1; - } - signo = evp ? evp->sigev_signo : SIGALRM; - if (signo > SIGRTMAX || signo < 1) { + if ((clockID != CLOCK_REALTIME) || (timerID == NULL) || (signo > SIGRTMAX) || (signo < 1)) { errno = EINVAL; return -1; } + if (evp && (evp->sigev_notify != SIGEV_SIGNAL && evp->sigev_notify != SIGEV_THREAD_ID)) { errno = ENOTSUP; return -1; } LOS_SpinLockSave(&g_timeSpin, &intSave); - arg = (swtmr_proc_arg *)malloc(sizeof(swtmr_proc_arg)); - if (arg == NULL) { - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + if ((arg = (swtmr_proc_arg *)malloc(sizeof(swtmr_proc_arg))) == NULL) { + LOS_SpinUnlockRestore(&g_timeSpin, intSave); errno = ENOMEM; return -1; } @@ -856,26 +851,24 @@ int OsTimerCreate(clockid_t clockID, struct ksigevent *evp, timer_t *timerID) arg->sigev_signo = signo; arg->pid = LOS_GetCurrProcessID(); arg->sigev_value.sival_ptr = evp ? evp->sigev_value.sival_ptr : NULL; - ret = LOS_SwtmrCreate(1, LOS_SWTMR_MODE_ONCE, SwtmrProc, &swtmrID, (UINTPTR)arg); - if (ret != LOS_OK) { + if ((ret = LOS_SwtmrCreate(1, LOS_SWTMR_MODE_ONCE, SwtmrProc, &swtmrID, (UINTPTR)arg)) != LOS_OK) { errno = (ret == LOS_ERRNO_SWTMR_MAXSIZE) ? EAGAIN : EINVAL; free(arg); - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + LOS_SpinUnlockRestore(&g_timeSpin, intSave); return -1; } #ifdef LOSCFG_SECURITY_VID - vid = AddNodeByRid(swtmrID); - if (vid == MAX_INVALID_TIMER_VID) { + if ((vid = AddNodeByRid(swtmrID)) == MAX_INVALID_TIMER_VID) { free(arg); (VOID)LOS_SwtmrDelete(swtmrID); - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + LOS_SpinUnlockRestore(&g_timeSpin, intSave); return -1; } swtmrID = vid; #endif *timerID = (timer_t)(UINTPTR)swtmrID; - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + LOS_SpinUnlockRestore(&g_timeSpin, intSave); return 0; } @@ -892,17 +885,18 @@ int timer_delete(timer_t timerID) if (OS_INT_ACTIVE || !ValidTimerID(swtmrID)) { goto ERROUT; } + LOS_SpinLockSave(&g_timeSpin, &intSave); arg = (VOID *)OS_SWT_FROM_SID(swtmrID)->uwArg; swtmrProc = (UINTPTR)OS_SWT_FROM_SID(swtmrID)->pfnHandler; if (LOS_SwtmrDelete(swtmrID)) { - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + LOS_SpinUnlockRestore(&g_timeSpin, intSave); goto ERROUT; } if ((swtmrProc == (UINTPTR)SwtmrProc) && (arg != NULL)) { free(arg); } - LOS_SpinUnlockRestore(&g_timeSpin, &intSave); + LOS_SpinUnlockRestore(&g_timeSpin, intSave); #ifdef LOSCFG_SECURITY_VID RemoveNodeByVid((UINT16)(UINTPTR)timerID); -- Gitee