Commit 78f5009c authored by Petr Mladek's avatar Petr Mladek Committed by Linus Torvalds
Browse files

ipc/sem.c: avoid overflow of semop undo (semadj) value 



When trying to understand semop code, I found a small mistake in the check
for semadj (undo) value overflow.  The new undo value is not stored
immediately and next potential checks are done against the old value.

The failing scenario is not much practical.  One semop call has to do more
operations on the same semaphore.  Also semval and semadj must have
different values, so there has to be some operations without SEM_UNDO
flag.  For example:

	struct sembuf depositor_op[1];
	struct sembuf collector_op[2];

	depositor_op[0].sem_num = 0;
	depositor_op[0].sem_op = 20000;
	depositor_op[0].sem_flg = 0;

	collector_op[0].sem_num = 0;
	collector_op[0].sem_op = -10000;
	collector_op[0].sem_flg = SEM_UNDO;
	collector_op[1].sem_num = 0;
	collector_op[1].sem_op = -10000;
	collector_op[1].sem_flg = SEM_UNDO;

	if (semop(semid, depositor_op, 1) == -1)
		{ perror("Failed to do 1st deposit"); return 1; }

	if (semop(semid, collector_op, 2) == -1)
		{ perror("Failed to do 1st collect"); return 1; }

	if (semop(semid, depositor_op, 1) == -1)
		{ perror("Failed to do 2nd deposit"); return 1; }

	if (semop(semid, collector_op, 2) == -1)
		{ perror("Failed to do 2nd collect"); return 1; }

	return 0;

It passes without error now but the semadj value has overflown in the 2nd
collector operation.

[akpm@linux-foundation.org: restore lessened scope of local `undo']
[davidlohr@hp.com: correct header comment for perform_atomic_semop]
Signed-off-by: default avatarPetr Mladek <pmladek@suse.cz>
Acked-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
Acked-by: default avatarManfred Spraul <manfred@colorfullife.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 729abd2b

ipc/sem.c

+13 −11
Original line number Diff line number Diff line
@@ -584,10 +584,11 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) 
	return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);

}



/** perform_atomic_semop - Perform (if possible) a semaphore operation

/**

 * perform_atomic_semop - Perform (if possible) a semaphore operation

 * @sma: semaphore array

 * @sops: array with operations that should be checked

 * @nsems: number of sops

 * @nsops: number of operations

 * @un: undo array

 * @pid: pid that did the change

 *
@@ -595,7 +596,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) 
 * Returns 1 if the operation is impossible, the caller must sleep.

 * Negative values are error codes.

 */



static int perform_atomic_semop(struct sem_array *sma, struct sembuf *sops,

			     int nsops, struct sem_undo *un, int pid)

{
@@ -616,22 +616,21 @@ static int perform_atomic_semop(struct sem_array *sma, struct sembuf *sops, 
			goto would_block;

		if (result > SEMVMX)

			goto out_of_range;



		if (sop->sem_flg & SEM_UNDO) {

			int undo = un->semadj[sop->sem_num] - sem_op;

			/*

	 		 *	Exceeding the undo range is an error.

			 */

			/* Exceeding the undo range is an error. */

			if (undo < (-SEMAEM - 1) || undo > SEMAEM)

				goto out_of_range;

			un->semadj[sop->sem_num] = undo;

		}



		curr->semval = result;

	}



	sop--;

	while (sop >= sops) {

		sma->sem_base[sop->sem_num].sempid = pid;

		if (sop->sem_flg & SEM_UNDO)

			un->semadj[sop->sem_num] -= sop->sem_op;

		sop--;

	}
@@ -650,7 +649,10 @@ would_block: 
undo:

	sop--;

	while (sop >= sops) {

		sma->sem_base[sop->sem_num].semval -= sop->sem_op;

		sem_op = sop->sem_op;

		sma->sem_base[sop->sem_num].semval -= sem_op;

		if (sop->sem_flg & SEM_UNDO)

			un->semadj[sop->sem_num] += sem_op;

		sop--;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE