zenithsiz/ftmemsim-valgrind
1
0
Fork 0
mirror of https://github.com/Zenithsiz/ftmemsim-valgrind.git synced 2026-02-06 11:41:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ftmemsim-valgrind/none/tests/sem.c
Philippe Waroquiers 54145019b0 n-i-bz Fix possible stack trashing by semctl syscall wrapping 
The modified test none/tests/sem crashes with a SEGV when valgrind is compiled
with lto on various amd64 platforms (debian/gcc 6.3, RHEL7/gcc 6.4,
Ubuntu/gcc 7.2)

The problem is that the vki_semid_ds buf is not what is expected by the kernel:
the kernel expects a bigger structure vki_semid64_ds (at least on
these platforms).
Getting the sem_nsems seems to work by chance, as sem_nsems is at
the same offset in both vki_semid_ds and vki_semid64_ds.
However, e.g. the ctime was not set properly after syscall return,
and 2 words after sem_nsems were set to 0 by the kernel, causing
the SEGV, as a spilled register became 0.

Fix consists in using the 64 bit version for __NR_semctl.
Tested on debian/amd64 and s390x.
2018-04-01 14:31:40 +02:00

158 lines
3.1 KiB
C
Raw Blame History

#define _GNU_SOURCE
#include <config.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <time.h>
#include <unistd.h>
void semctl_test (int trace, const char *fname)
{
key_t key;
int semid;
int nr_of_readers;
int ret;
union semun {
int val; /* Value for SETVAL */
struct semid_ds *buf; /* Buffer for IPC_STAT, IPC_SET */
unsigned short *array; /* Array for GETALL, SETALL */
struct seminfo *__buf; /* Buffer for IPC_INFO
(Linux-specific) */
} u;
struct semid_ds ds;
key = ftok (fname, 1);
if (key == -1)
perror ("ftok");
nr_of_readers = 4;
semid = semget (key, 2 * nr_of_readers, IPC_CREAT + 0660);
if (semid == -1) {
perror ("semget");
}
if (trace)
printf("semid %d\n", semid);
u.buf = &ds;
ret = semctl (semid, 0, IPC_STAT, u);
if (ret == -1)
perror("semctl IPC_STAT");
if (trace)
printf("semid %d sem_nsems %d\n", semid, (int) ds.sem_nsems);
{
unsigned short semarray[2 * nr_of_readers];
for (int count = 0; count < nr_of_readers; count++) {
semarray[2 * count] = 0;
semarray[2 * count + 1] = 1000;
}
ret = semctl (semid, 0, SETALL, semarray);
if (ret == -1)
perror ("semctl SETALL");
}
ret = semctl (semid, 0, IPC_RMID);
if (ret == -1)
perror ("semctl IPC_RMID");
}
int main(int argc, char **argv)
{
int semid;
struct sembuf sop;
#ifdef HAVE_SEMTIMEDOP
struct timespec ts;
#endif
if ((semid = semget(IPC_PRIVATE, 1, 0600)) < 0)
{
perror("semget");
exit(1);
}
sop.sem_num = 0;
sop.sem_op = 1;
sop.sem_flg = 0;
if (semop(semid, &sop, 1) < 0)
{
perror("semop");
semctl(semid, 0, IPC_RMID);
exit(1);
}
if (semctl(semid, 0, GETVAL) != 1)
{
perror("semctl GETVAL");
semctl(semid, 0, IPC_RMID);
exit(1);
}
if (semctl(semid, 0, GETPID) != getpid())
{
perror("semctl GETPID");
semctl(semid, 0, IPC_RMID);
exit(1);
}
/* The next call to semtimedop causes the program to hang on
ppc32-linux (Yellow Dog 4.0). I don't know why. Hence the
extended ifdef. */
#if defined(HAVE_SEMTIMEDOP) && !defined(__powerpc__)
sop.sem_num = 0;
sop.sem_op = 0;
sop.sem_flg = 0;
ts.tv_sec = 0;
ts.tv_nsec = 1000000;
if (semtimedop(semid, &sop, 1, &ts) < 0 && errno != EAGAIN)
{
perror("semtimedop");
semctl(semid, 0, IPC_RMID);
exit(1);
}
#endif
sop.sem_num = 0;
sop.sem_op = -1;
sop.sem_flg = 0;
if (semop(semid, &sop, 1) < 0)
{
perror("semop");
semctl(semid, 0, IPC_RMID);
exit(1);
}
#ifdef HAVE_SEMTIMEDOP
sop.sem_num = 0;
sop.sem_op = 0;
sop.sem_flg = 0;
ts.tv_sec = 0;
ts.tv_nsec = 1000;
if (semtimedop(semid, &sop, 1, &ts) < 0)
{
perror("semtimedop");
semctl(semid, 0, IPC_RMID);
exit(1);
}
#endif
if (semctl(semid, 0, IPC_RMID) < 0)
{
perror("semctl(IPC_RMID)");
exit(1);
}
semctl_test(argc > 1, argv[0]);
exit(0);
}
Reference in New Issue View Git Blame Copy Permalink