tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
semctl(2) SETVAL/SETALL does not validate the semaphore value
Hi,
Looking at the semaphore code, while checking compat linux/linux32, i
noticed that semctl(2) SETVAL/SETALL does not validate the provided
semaphore value to be set which needs to be in the expected range
[0;SEMVMX].
The attached patch should fix it (and update the man page
accordingly).
Is it ok ?
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.
Index: sys/kern/sysv_sem.c
===================================================================
RCS file: /cvsroot/src/sys/kern/sysv_sem.c,v
retrieving revision 1.82
diff -u -p -r1.82 sysv_sem.c
--- sys/kern/sysv_sem.c 28 Apr 2008 20:24:05 -0000 1.82
+++ sys/kern/sysv_sem.c 4 May 2008 22:21:34 -0000
@@ -603,6 +603,10 @@ semctl1(struct lwp *l, int semid, int se
break;
}
KASSERT(arg != NULL);
+ if ((unsigned int)arg->val > seminfo.semvmx) {
+ error = ERANGE;
+ break;
+ }
semaptr->_sem_base[semnum].semval = arg->val;
semundo_clear(ix, semnum);
cv_broadcast(&semcv[ix]);
@@ -613,6 +617,10 @@ semctl1(struct lwp *l, int semid, int se
break;
KASSERT(arg != NULL);
for (i = 0; i < semaptr->sem_nsems; i++) {
+ if ((unsigned int)arg->array[i] > seminfo.semvmx) {
+ error = ERANGE;
+ break;
+ }
error = copyin(&arg->array[i],
&semaptr->_sem_base[i].semval,
sizeof(arg->array[i]));
Index: lib/libc/sys/semctl.2
===================================================================
RCS file: /cvsroot/src/lib/libc/sys/semctl.2,v
retrieving revision 1.16
diff -u -p -r1.16 semctl.2
--- lib/libc/sys/semctl.2 13 May 2004 10:20:58 -0000 1.16
+++ lib/libc/sys/semctl.2 4 May 2008 22:21:34 -0000
@@ -223,6 +223,13 @@ is not a valid command.
or
.Fa arg.array
specifies an invalid address.
+.It Bq Er ERANGE
+.Fa cmd
+is equal to
+.Dv SETVAL
+or
+.Dv SETALL
+and the value to be set is greater than the system semaphore maximum value.
.El
.Sh SEE ALSO
.Xr semget 2 ,
Home |
Main Index |
Thread Index |
Old Index