[haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations

• From: "Haiku" <trac@xxxxxxxxxxxx>
• To: undisclosed-recipients: ;
• Date: Fri, 23 Jul 2021 16:07:57 -0000

#16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations
----------------------------+----------------------
  Reporter:  thosewhowork   |      Owner:  nobody
      Type:  bug            |     Status:  new
  Priority:  normal         |  Milestone:  R1/beta3
 Component:  System/Kernel  |    Version:  R1/beta2
Resolution:                 |   Keywords:
Blocked By:                 |   Blocking:
  Platform:  All            |
----------------------------+----------------------
Comment (by pulkomandy):

semaphoreSet would be NULL when invoking semaphoreSet->ID(). What is not

 clear exactly?

 It's not clear how we got in that situation, where the key appears to be
 valid (it is found in sIpcHashTable), but then it has no semaphoreSetId
 attached to it, or that semaphoreSetId is not found in
 sSemaphoreHashTable.

 I would have expected that if the key is valid, the data it points to
 should be valid too. My understanding is that a valid key always goes with
 a semaphore, and it does not appear to be possible to delete the semaphore
 without deleting the key.

 So, we are in a strange case that should not have been possible here: the
 key exists, but it points to no semaphore. How and when is it possible to
 get in that situation?

 After looking more closely at the code, here is one thing that could
 happen:

 - The key is created and inserted in the map here: https://git.haiku-
 os.org/haiku/tree/src/system/kernel/posix/xsi_semaphore.cpp#n763
 - However, for various reasons, creating the semaphore can fail later on
 in the function: https://git.haiku-
 os.org/haiku/tree/src/system/kernel/posix/xsi_semaphore.cpp#n798

 Probably the fuzzing test triggered this code path, as it calls the
 syscall with invalid arguments.

 So, it is possible to insert invalid keys in the hashmap here. An
 additional fix would be to move {{{sIpcHashTable.Insert(ipcKey);}}} to the
 end of the {{{if (create)}}}, where all error checks have been made
 already.
-- 
Ticket URL: <https://dev.haiku-os.org/ticket/16741#comment:9>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.

Other related posts:

• » [haiku-bugs] [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations - Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku
• » [haiku-bugs] Re: [Haiku] #16741: Kernel Panic on Multiple user_xsi_semget Syscall Invocations- Haiku

1. Home
2. haiku-bugs
3. Archive
4. 07-2021

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---