Opened 4 years ago
Closed 4 years ago
#16757 closed bug (fixed)
Kernel Panic on Multiple user_xsi_msgget Syscall Invocations
| Reported by: | thosewhowork | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | System/Kernel | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Hello,
It is possible to cause a kernel panic by invoking the xsi_msgget syscall with fuzzed low integer inputs.
I believe the issue is a NULL pointer dereference here: https://github.com/haiku/haiku/blob/master/src/system/kernel/posix/xsi_message_queue.cpp#L685-L686
Where messageQueue is still NULL after calling .Lookup
This test program should reproduce the issue:
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
typedef int (*syscall_kern_xsi_msgget)(int, int);
int
main(int argc, char** argv) {
int i = 0;
syscall_kern_xsi_msgget p_kern_xsi_msgget = NULL;
if ((p_kern_xsi_msgget = dlsym(RTLD_DEFAULT, "_kern_xsi_msgget")) == NULL) {
return 1;
}
for (; i < 0xffff; i++) {
printf("%d\n", i);
fflush(stdout);
usleep(500);
p_kern_xsi_msgget(i, i);
p_kern_xsi_msgget(i, i);
}
return 0;
}
Compiled with:
gcc -o xsi_msgget_syscall src/X-xsi_msgget_syscall.c
System Details
Haiku Version: Haiku Nightly rev54891
Guest Machine: VMWare Fusion 8.5.3
Host Machine: Mac OS Mojave
I've attached the backtrace from the kernel debugger.
Thanks!
Attachments (1)
Change History (3)
by , 4 years ago
| Attachment: | X-user_xsi_msgget_trace_nightly.png added |
|---|
comment:2 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fix merged. Thanks again for reporting!
Note:
See TracTickets
for help on using tickets.
xsi_msgget trace