#16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations
---------------------------+--------------------------
Reporter: thosewhowork | Owner: nobody
Type: bug | Status: new
Priority: normal | Milestone: Unscheduled
Component: System/Kernel | Version: R1/beta2
Keywords: | Blocked By:
Blocking: | Platform: x86
---------------------------+--------------------------
Hi,
It is possible to cause a kernel panic by invoking the user_xsi_semget
syscall with the IPC_CREAT (01000 Octal / 512 Decimal) key twice in a row.
The issue is here:
https://github.com/haiku/haiku/blob/r1beta2/src/system/kernel/posix/xsi_semaphore.cpp#L774-L779
When the {{{semaphoreSet == NULL}}} condition is met, the block is
entered, which then causes a dereference on the NULL pointer with
{{{semaphoreSet->ID()}}}.
The following should reproduce the issue:
{{{
#include <dlfcn.h>
#include <stdlib.h>
typedef int (*syscall_kern_xsi_semget)(int, int, int);
int
main(int argc, char** argv) {
// IPC_CREAT is 01000 (Octal), 512 (Decimal)
int i = 512;
syscall_kern_xsi_semget p_kern_xsi_semget = NULL;
if ((p_kern_xsi_semget = dlsym(RTLD_DEFAULT, "_kern_xsi_semget")) ==
NULL) {
return 1;
}
// First call creates the ipcKey
p_kern_xsi_semget(i, i, i);
// Second call results in a NULL semaphoreSet, and subsequent NULL
pointer deref.
p_kern_xsi_semget(i, i, i);
return 0;
}
}}}
Compiled with:
{{{ gcc -o xsi_semget_syscall src/X-xsi_semget_syscall.c }}}
System Details
Haiku Version: Haiku R1/Beta2
Guest Machine: VMWare Fusion 8.5.3
Host Machine: Mac OS Mojave
I've attached the backtrace from the kernel debugger.
Thanks!
--
Ticket URL: <https://dev.haiku-os.org/ticket/16741>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.
