semctl bug
李尚杰
shangjie.li at gmail.com
Wed Jul 26 08:04:15 UTC 2006
In file kern/sysv_sem.c:
554 __semctl(td, uap)
555 struct thread *td;
556 struct __semctl_args *uap;
557 {
558 int semid = uap->semid; <<<here 1
559 int semnum = uap->semnum;
560 int cmd = uap->cmd;
561 u_short *array;
562 union semun *arg = uap->arg;
563 union semun real_arg;
564 struct ucred *cred = td->td_ucred;
565 int i, rval, error;
566 struct semid_ds sbuf;
567 struct semid_kernel *semakptr;
568 struct mtx *sema_mtxp;
569 u_short usval, count;
570
571 DPRINTF(("call to semctl(%d, %d, %d, 0x%x)\n",
572 semid, semnum, cmd, arg));
573 if (!jail_sysvipc_allowed && jailed(td->td_ucred))
574 return (ENOSYS);
575
576 array = NULL;
577
578 switch(cmd) {
579 case SEM_STAT:
580 if (semid < 0 || semid >= seminfo.semmni) <<<here 2
581 return (EINVAL);
582 if ((error = copyin(arg, &real_arg, sizeof(real_arg))) != 0)
583 return (error);
584 semakptr = &sema[semid];<<<here 3
>From line 558 to line 578, there must be a mechism to convert the
sem_id to the internal sema array index. In fact, it was missing,
which make the semctl syscall not work well. The return valure of
semget, the semaphore ID, is larger than 65535. when test on line 580
return EINVAL in any case. Following code also using the semid which
is from user directly as index of sema[] array.
--
--
|Best regards.
|Shangjie, Li (Ph.D candidate)
|Institute of Software, Chinese Academy of Sciences,
|P.O. Box 8718, Beijing 100080, CHINA
|Phone: (8610)62561197/62635158-1008(O), 82680528(H)
|Email: shangjie02 at ios.cn
>---------------------------------------------------<
More information about the freebsd-bugs
mailing list