semctl bug
Kris Kennaway
kris at obsecurity.org
Sat Aug 19 20:29:03 UTC 2006
On Wed, Jul 26, 2006 at 04:04:06PM +0800, ?????? wrote:
> In file kern/sysv_sem.c:
> 554 __semctl(td, uap)
> 555 struct thread *td;
> 556 struct __semctl_args *uap;
> 557 {
> 558 int semid = uap->semid; <<<here 1
> 559 int semnum = uap->semnum;
> 560 int cmd = uap->cmd;
> 561 u_short *array;
> 562 union semun *arg = uap->arg;
> 563 union semun real_arg;
> 564 struct ucred *cred = td->td_ucred;
> 565 int i, rval, error;
> 566 struct semid_ds sbuf;
> 567 struct semid_kernel *semakptr;
> 568 struct mtx *sema_mtxp;
> 569 u_short usval, count;
> 570
> 571 DPRINTF(("call to semctl(%d, %d, %d, 0x%x)\n",
> 572 semid, semnum, cmd, arg));
> 573 if (!jail_sysvipc_allowed && jailed(td->td_ucred))
> 574 return (ENOSYS);
> 575
> 576 array = NULL;
> 577
> 578 switch(cmd) {
> 579 case SEM_STAT:
> 580 if (semid < 0 || semid >= seminfo.semmni) <<<here 2
> 581 return (EINVAL);
> 582 if ((error = copyin(arg, &real_arg, sizeof(real_arg)))
> != 0)
> 583 return (error);
> 584 semakptr = &sema[semid];<<<here 3
>
> >From line 558 to line 578, there must be a mechism to convert the
> sem_id to the internal sema array index. In fact, it was missing,
> which make the semctl syscall not work well. The return valure of
> semget, the semaphore ID, is larger than 65535. when test on line 580
> return EINVAL in any case. Following code also using the semid which
> is from user directly as index of sema[] array.
Please submit a PR so this bug report is not lost.
Kris
More information about the freebsd-bugs
mailing list